Vendor: Microsoft Exam Code: 70-411 Exam Name: Administering Windows Server 2012 R2 Exam

Download as pdf or txt
Download as pdf or txt
You are on page 1of 401

Vendor: Microsoft

Exam Code: 70-411

Exam Name: Administering Windows Server 2012 R2 Exam

Version: 16.011
QUESTION 1
Your network contains an Active Directory domain named contoso.com.
The domain contains a domain controller named DC1 that runs Windows Server 2012 R2.
All client computers run Windows 8 Enterprise. DC1 contains a Group Policy object (GPO)
named GPO1.
You need to deploy a VPN connection to all users.
What should you configure from Users Configuration in GPO1?

A. Policies/Administrative Templates/Network/Network Connections


B. Policies/Administrative Templates/Network/Windows Connect Now
C. Preferences/Control Panel Settings/Network Options
D. Policies/Administrative Templates/Windows Components/Windows Mobility Centre

Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc772107.aspx
To create a new Dial-Up Connection preference item
Open the Group Policy Management Console.
Right-click the Group Policy object (GPO) that should contain the new preference item, and then
click Edit.
In the console tree under Computer Configuration or User Configuration, expand the Preferences
folder, and then expand the Control Panel Settings folder.
Right-click the Network Options node, point to New, and select Dial-Up Connection.

QUESTION 2
Your network contains an Active Directory domain named contoso.com. The domain contains
domain controllers that run Windows Server 2008, Windows Server 2008 R2 Windows Server
2012, and Windows Server 2012 R2.
A domain controller named DC1 runs Windows Server 2012 R2. DC1 is backed up daily.
During routine maintenance, you delete a group named Group1.
You need to recover Group1 and identify the names of the users who were members of Group1
prior to its deletion.
You want to achieve this goal by using the minimum amount of administrative effort.
What should you do first?

A. Perform an authoritative restore of Group1.


B. Mount the most recent Active Directory backup.
C. Use the Recycle Bin to restore Group1.
D. Reactivate the tombstone of Group1.

Answer: A
Explanation:
The Active Directory Recycle Bin does not have the ability to track simple changes to objects. If
the object itself is not deleted, no element is moved to the Recycle Bin for possible recovery in
the future.
In other words, there is no rollback capacity for changes to object properties, or, in other words, to
the values of these properties. There is another approach you should be aware of. Tombstone
reanimation (which has nothing to do with zombies) provides the only way to recover deleted
objects without taking a DC offline, and it's the only way to recover a deleted object's identity
information, such as its objectGUID and objectSid attributes.
It neatly solves the problem of recreating a deleted user or group and having to fix up all the old
access control list (ACL) references, which contain the objectSid of the deleted object.
Restores domain controllers to a specific point in time, and marks objects in Active Directory as
being authoritative with respect to their replication partners.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 2
http://www.braindump2go.com
QUESTION 3
Your network contains an Active Directory domain named adatum.com.
You have a standard primary zone named adatum.com.
You need to provide a user named User1 the ability to modify records in the zone.
Other users must be prevented from modifying records in the zone.
What should you do first?

A. Run the Zone Signing Wizard for the zone.


B. From the properties of the zone, change the zone type.
C. Run the new Delegation Wizard for the zone.
D. From the properties of the zone, modify the Start Of Authority (SOA) record.

Answer: B
Explanation:
The Zone would need to be changed to a AD integrated zone When you use directory-integrated
zones, you can use access control list (ACL) editing to secure a dnsZone object container in the
directory tree. This feature provides detailed access to either the zone or a specified resource
record in the zone. For example, an ACL for a zone resource record can be restricted so that
dynamic updates are allowed only for a specified client computer or a secure group, such as a
domain administrators group. This security feature is not available with standard primary zones
DNS update security is available only for zones that are integrated into Active Directory.
After you integrate a zone, you can use the access control list (ACL) editing features that are
available in the DNS snap-in to add or to remove users or groups from the ACL for a specific
zone or for a resource record.
Standard (not an Active Directory integrated zone) has no Security settings:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 3
http://www.braindump2go.com
You need to firstly change the "Standard Primary Zone" to AD Integrated Zone:

Now there's Security tab:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 4
http://www.braindump2go.com
http://technet.microsoft.com/en-us/library/cc753014.aspx
http://technet.microsoft.com/en-us/library/cc726034.aspx
http://support.microsoft.com/kb/816101

QUESTION 4
Your network contains an Active Directory domain named contoso.com.
The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the
Network Policy Server role service installed.
You need to enable trace logging for Network Policy Server (NPS) on Server1.
Which tool should you use?

A. The tracert.exe command


B. The Network Policy Server console
C. The Server Manager console
D. The netsh.exe command

Answer: D
Explanation:
You can use log files on servers running Network Policy Server (NPS) and NAP client computers
to help troubleshoot NAP problems.
Log files can provide the detailed information required for troubleshooting complex problems.
You can capture detailed information in log files on servers running NPS by enabling remote
access tracing. The Remote Access service does not need to be installed or running to use
remote access tracing. When you enable tracing on a server running NPS, several log files are
created in %windir%\tracing.
The following log files contain helpful information about NAP:
IASNAP.LOG: Contains detailed information about NAP processes, NPS
authentication, and NPS authorization.
IASSAM.LOG: Contains detailed information about user authentication and
authorization.
Membership in the local Administrators group, or equivalent, is the
minimum required to enable tracing. Review details about using the
appropriate accounts and group memberships at Local and Domain Default
Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
To create tracing log files on a server running NPS
Open a command line as an administrator.
Type netshras set tr * en.
Reproduce the scenario that you are troubleshooting.
Type netshras set tr * dis.
Close the command prompt window.
http://technet.microsoft.co47m/en-us/library/dd348461%28v=ws.10%29.aspx

QUESTION 5
You have a server named Server1 that has the Web Server (IIS) server role installed.
You obtain a Web Server certificate.
You need to configure a website on Server1 to use Secure Socket Layer (SSL).
To which store should you import the certificate?
To answer, select the appropriate store in the answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 5
http://www.braindump2go.com
Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 6
http://www.braindump2go.com
Explanation:
The certificate for the Web server must be in the memory own certificates on the local computer
to import. The import can be either with the Certificates snap-in or the Internet Information
Services (IIS) Manager on the feature page server certificates done.

QUESTION 6
Your network contains an Active Directory domain named contoso.com.
The domain contains a domain controller named DC1. DC1 is a DNS server for contoso.com.
The properties of the contoso.com zone are configured as shown in the exhibit. (Click the Exhibit
button.)

The domain contains a server named Server1 that is part of a workgroup named Workgroup.
Server1 is configured to use DC1 as a DNS server.
You need to ensure that Server1 dynamically registers a host (A) record in the contoso.com zone.
What should you configure?

A. The Dynamic updates setting of the contoso.com zone


B. The workgroup name of Server1
C. The primary DNS suffix of Server1
D. The Security settings of the contoso.com zone

Answer: C

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 7
http://www.braindump2go.com
Explanation:
When any computer or a standalone server is added to a domain as a member, the network
identifies that computer with its Fully Qualified Domain Name or FQDN. A Fully Qualified Domain
Name consist of a hostname and the DNs suffix separated by a "." called period. An example for
this can be server01.msftdomain.com where "server01 is the hostname of the computer and
"msftdomain.com" is the DNS suffix which follows the hostname. A complete FQDN of a client
computer or a member server uniquely identifies that computer in the entire domain.
Primary DNS suffix must manually be added in Windows 8 computer to change its hostname to
Fully Qualified Domain Name so that it becomes eligible to send queries and receive responses
from the DNS server. Following are the steps which can be implemented to add primary DNS
suffix to a Windows 8 computer hostname:
Log on to Windows 8 computer with administrator account.
From the options available on the screen click Control Panel.
On the opened window click More Settings from the left pane.
On the next window click System and Security category and on the appeared window click
System. On View basic information about your computer window click Change settings under
Computer name, domain, and workgroup settings section.
On System Properties box make sure that Computer Name tab is selected and click Change
button.
On Computer Name/Domain Changes box click More button.
On DNS Suffix and NetBIOS Computer Name box type in the DNS domain name as the DNS
suffix to the Windows 8 computer under Primary DNS suffix of this computer field. Click Ok button
on all the boxes and restart the computer to allow changes to take effect.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 8
http://www.braindump2go.com
For years, Windows DNS has supported dynamic updates, whereas a DNS client host registers
and dynamically updates the resource records with a DNS server. If a host's IP address changes,
the resource record (particularly the A record) for the host is automatically updated, while the host
utilizes the DHCP server to dynamically update its Pointer (PTR) resource record. Therefore,
when a user or service needs to contact a client PC, it can look up the IP address of the host.
With larger organizations, this becomes an essential feature, especially for clients that frequently
move or change locations and use DHCP to automatically obtain an IP address. For dynamic
DNS updates to succeed, the zone must be configured to accept dynamic updates:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 9
http://www.braindump2go.com
http://technet.microsoft.com/en-us/library/cc778792%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc778792%28v=ws.10%29.aspx
http://www.advicehow.com/adding-primary-dns-suffix-in-microsoft-windows-8/
http://technet.microsoft.com/en-us/library/cc959611.aspx

QUESTION 7
Your network contains an Active Directory domain named contoso.com. The domain contains six
domain controllers named DC1, DC2, DC3, DC4, DC5, and DC6. Each domain controller has the
DNS Server server role installed and hosts an Active Directory-integrated zone for contoso.com.
You plan to create a new Active Directory-integrated zone named litwareinc.com that will be used
for testing.
You need to ensure that the new zone will be available only on DC5 and DC6.
What should you do first?

A. Create an application directory partition.


B. Change the zone replication scope.
C. Create an Active Directory connection object.
D. Create an Active Directory site link.

Answer: A
Explanation:
A partition is a data structure in AD DS that distinguishes data for different replication purposes.
When you create an application directory partition for DNS, you can control the scope of
replication for the zone that is stored in that partition
http://technet.microsoft.com/en-us/library/cc754292.aspx

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 10
http://www.braindump2go.com
QUESTION 8
Your network contains a DNS server named Server1 that runs Windows Server 2012 R2. Server1
has a zone named contoso.com. The network contains a server named Server2 that runs
Windows Server 2008 R2. Server1 and Server2 are members of an Active Directory domain
named contoso.com.
You change the IP address of Server2. Several hours later, some users report that they cannot
connect to Server2.
On the affected users' client computers, you flush the DNS client resolver cache, and the users
successfully connect to Server2.
You need to reduce the amount of time that the client computers cache DNS records from
contoso.com.
Which value should you modify in the Start of Authority (SOA) record?
To answer, select the appropriate setting in the answer area.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 11
http://www.braindump2go.com
Explanation:
The Default TTL, is just that a default for newly created records. Once the records are created
their TTL is independent of the Default TTL on the SOA. Microsoft DNS implementation copies
the Default TTL setting to all newly created records their by giving them all independent TTL
settings.
SOA Minimum Field: The SOA minimum field has been overloaded in the past to have three
different meanings, the minimum TTL value of all RRs in a zone, the default TTL of RRs which
did not contain a TTL value and the TTL of negative responses.
Despite being the original defined meaning, the first of these, the minimum TTL value of all RRs
in a zone, has never in practice been used and is hereby deprecated. The second, the default
TTL of RRs which contain no explicit TTL in the master zone file, is relevant only at the primary
server. After a zone transfer all RRs have explicit TTLs and it is impossible to determine whether
the TTL for a record was explicitly set or derived from the default after a zone transfer. Where a
server does not require RRs to include the TTL value explicitly, it should provide a mechanism,
not being the value of the MINIMUM field of the SOA record, from which the missing TTL values
are obtained. How this is done is implementation dependent.
TTLs also occur in the Domain Name System (DNS), where they are set by an authoritative name
server for a particular resource record. When a caching (recursive) nameserver queries the
authoritative nameserver for a resource record, it will cache that record for the time (in seconds)
specified by the TTL. If a stub resolver queries the caching nameserver for the same record
before the TTL has expired, the caching server will simply reply with the already cached resource
record rather than retrieve it from the authoritative nameserver again.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 12
http://www.braindump2go.com
Shorter TTLs can cause heavier loads on an authoritative nameserver, but can be useful when
changing the address of critical services like Web servers or MX records, and therefore are often
lowered by the DNS administrator prior to a service being moved, in order to minimize
disruptions.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 13
http://www.braindump2go.com
http://support.microsoft.com/kb/297510/en-us
http://support.microsoft.com/kb/297510/en-us
https://en.wikipedia.org/wiki/Time_to_live
http://www.faqs.org/rfcs/rfc2308.html#ixzz0qVpTEitk

QUESTION 9
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs Windows Server 2012 R2.
You enable and configure Routing and Remote Access (RRAS) on Server1.
You create a user account named User1.
You need to ensure that User1 can establish VPN connections to Server1.
What should you do?

A. Create a network policy.


B. Modify the members of the Remote Management Users group.
C. Create a connection request policy.
D. Add a RADIUS client.

Answer: A
Explanation:
A. Configure your VPN server to use Network Access Protection (NAP) to enforce health
requirement policies.
B. determines which users and groups should have permission to log on remotely
C. Connection request policies are sets of conditions and settings that allow network
administrators to designate which Remote Authentication Dial-In User Service (RADIUS) servers
perform the authentication and authorization of connection requests that the server running
Network Policy Server (NPS) receives from RADIUS client
D. A network access server (NAS) is a device that provides some level of access to a larger
network. A NAS using a RADIUS infrastructure is also a RADIUS client, sending connection
requests and accounting messages to a RADIUS server for authentication, authorization, and
accounting.
http://technet.microsoft.com/en-us/library/dd314165(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/dd469733.aspx
http://technet.microsoft.com/en-us/library/dd469660.aspx
http://technet.microsoft.com/en-us/library/cc753603.aspx
http://technet.microsoft.com/en-us/library/cc754033.aspx

QUESTION 10
Drag and Drop Question
You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the Network
Policy and Access Services server role installed.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 14
http://www.braindump2go.com
All of the VPN servers on your network use Server1 for RADIUS authentication.
You create a security group named Group1.
You need to configure Network Policy and Access Services (NPAS) to meet the following
requirements:

- Ensure that only the members of Group1 can establish a VPN connection
to the VPN servers.
- Allow only the members of Group1 to establish a VPN connection to the
VPN servers if the members are using client computers that run Windows
8 or later.

Which type of policy should you create for each requirement?


To answer, drag the appropriate policy types to the correct requirements. Each policy type may
be used once, more than once, or not at all. You may need to drag the split bar between panes or
scroll to view content.

Answer:

QUESTION 11
Your network contains an Active Directory domain named contoso.com.
The domain contains a server named Server1 that runs Windows Server 2012 R2.
Server1 has the Network Policy Server server role installed.
You need to allow connections that use 802.1x.
What should you create?

A. A network policy that uses Microsoft Protected EAP (PEAP) authentication


B. A network policy that uses EAP-MSCHAP v2 authentication
C. A connection request policy that uses EAP (PEAP) authentication
D. A connection request policy that uses MS-CHAP v2 authentication

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 15
http://www.braindump2go.com
Answer: B
Explanation:
802.1X - uses EAP, EAP-TLS, EAP-MS-CHAP v2, and PEAP authentication methods:
EAP (Extensible Authentication Protocol) uses an arbitrary authentication method, such as
certificates, smart cards, or credentials. EAP-TLS (EAP-Transport Layer Security) is an EAP type
that is used in certificate- based security environments, and it provides the strongest
authentication and key determination method.
EAP-MS-CHAP v2 (EAP-Microsoft Challenge Handshake Authentication Protocol version 2) is a
mutual authentication method that supports password-based user or computer authentication.
PEAP (Protected EAP) is an authentication method that uses TLS to enhance the security of
other EAP authentication protocols.
Connection request policies are sets of conditions and settings that allow network administrators
to designate which Remote Authentication Dial-In User Service (RADIUS) servers perform the
authentication and authorization of connection requests that the server running Network Policy
Server (NPS) receives from RADIUS clients. Connection request policies can be configured to
designate which RADIUS servers are used for RADIUS accounting.
With connection request policies, you can use NPS as a RADIUS server or as a RADIUS proxy,
based on factors such as the following:
The time of day and day of the week
The realm name in the connection request
The type of connection being requested
The IP address of the RADIUS client

QUESTION 12
You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the Remote
Access server role installed. On Server1, you create a network policy named PPTP_Policy.
You need to configure PPTP_Policy to apply only to VPN connections that use the PPTP
protocol.
What should you configure in PPTP_Policy?

A. The Service Type


B. The Tunnel Type
C. The Framed Protocol
D. The NAS Port Type

Answer: B
Explanation:
A. Restricts the policy to only clients specifying a certain type of service, such as Telnet or Point
to Point Protocol connections.
B. Restricts the policy to only clients that create a specific type of tunnel, such as PPTP or L2TP.
C. Restricts the policy to clients that specify a certain framing protocol for incoming packets, such
as PPP or SLIP.
D. Allows you to specify the type of media used by the client computer to connect to the network.
http://technet.microsoft.com/en-us/library/cc731220(v=ws.10).aspx

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 16
http://www.braindump2go.com
QUESTION 13
Your network contains a RADIUS server named Server1.
You install a new server named Server2 that runs Windows Server 2012 R2 and has Network
Policy Server (NPS) installed.
You need to ensure that all accounting requests for Server2 are forwarded to Server1.
On Server2, you configure a Connection Request Policy.
What else should you configure on Server2?
To answer, select the appropriate node in the answer area.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 17
http://www.braindump2go.com
Explanation:
When you configure Network Policy Server (NPS) as a Remote Authentication Dial-In User
Service (RADIUS) proxy, you use NPS to forward connection requests to RADIUS servers that
are capable of processing the connection requests because they can perform authentication and
authorization in the domain where the user or computer account is located. For example, if you
want to forward connection requests to one or more RADIUS servers in untrusted domains, you
can configure NPS as a RADIUS proxy to forward the requests to the remote RADIUS servers in
the untrusted domain. To configure NPS as a RADIUS proxy, you must create a connection
request policy that contains all of the information required for NPS to evaluate which messages to
forward and where to send the messages.
When you configure a remote RADIUS server group in NPS and you configure a connection
request policy with the group, you are designating the location where NPS is to forward
connection requests.
http://technet.microsoft.com/en-us/library/cc754518.aspx

QUESTION 14
Your network contains two Active Directory forests named contoso.com and adatum.com. The
contoso.com forest contains a server named server1.contoso.com. The adatum.com forest
contains a server named server2.adatum.com. Both servers have the Network Policy Server role
service installed. The network contains a server named Server3. Server3 is located in the
perimeter network and has the Network Policy Server role service installed.
You plan to configure Server3 as an authentication provider for several VPN servers.
You need to ensure that RADIUS requests received by Server3 for a specific VPN server are
always forwarded to server1.contoso.com.
Which two should you configure on Server3? (Each correct answer presents part of the solution.
Choose two.)

A. Network policies
B. Remote RADIUS server groups
C. Connection authorization policies
D. Remediation server groups
E. Connection request policies

Answer: BE

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 18
http://www.braindump2go.com
Explanation:
When you configure Network Policy Server (NPS) as a Remote Authentication Dial-In User
Service (RADIUS) proxy, you use NPS to forward connection requests to RADIUS servers that
are capable of processing the connection requests because they can perform authentication and
authorization in the domain where the user or computer account is located. For example, if you
want to forward connection requests to one or more RADIUS servers in untrusted domains, you
can configure NPS as a RADIUS proxy to forward the requests to the remote RADIUS servers in
the untrusted domain.
To configure NPS as a RADIUS proxy, you must create a connection request policy that contains
all of the information required for NPS to evaluate which messages to forward and where to send
the messages.
When you configure a remote RADIUS server group in NPS and you configure a connection
request policy with the group, you are designating the location where NPS is to forward
connection requests.
http://technet.microsoft.com/en-us/library/cc754518.aspx

QUESTION 15
Hotspot Question
You have a server named Server1 that runs Windows Server 2012 R2.
You configure Network Access Protection (NAP) on Server1.
Your company implements a new security policy stating that all client computers must have the
latest updates installed. The company informs all employees that they have two weeks to update
their computer accordingly.
You need to ensure that if the client computers have automatic updating disabled, they are
provided with full access to the network until a specific date and time.
Which two nodes should you configure?
To answer, select the appropriate two nodes in the answer area.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 19
http://www.braindump2go.com
Explanation:

QUESTION 16
Your network contains an Active Directory forest. The forest contains two domains named
contoso.com and fabrikam.com. All of the DNS servers in both of the domains run Windows
Server 2012 R2.
The network contains two servers named Server1 and Server2. Server1 hosts an Active
Directory-integrated zone for contoso.com. Server2 hosts an Active Directory-integrated zone for
fabrikam.com. Server1 and Server2 connect to each other by using a WAN link.
Client computers that connect to Server1 for name resolution cannot resolve names in
fabrikam.com.
You need to configure Server1 to support the resolution of names in fabrikam.com.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 20
http://www.braindump2go.com
The solution must ensure that users in contoso.com can resolve names in fabrikam.com if the
WAN link fails.
What should you do on Server1?

A. Add a forwarder.
B. Create a stub zone.
C. Create a conditional forwarder.
D. Create a secondary zone.

Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc771898.aspx
When a zone that this DNS server hosts is a secondary zone, this DNS server is a secondary
source for information about this zone. The zone at this server must be obtained from another
remote DNS server computer that also hosts the zone With secondary, you have ability to resolve
records from the other domain even if its DNS servers are temporarily unavailable
While secondary zones contain copies of all the resource records in the corresponding zone on
the master name server, stub zones contain only three kinds of resource records:
A copy of the SOA record for the zone.
Copies of NS records for all name servers authoritative for the zone. Copies of A records for all
name servers authoritative for the zone.
http://www.windowsnetworking.com/articles-tutorials/windows-2003/DNS_Stub_Zones.html
http://technet.microsoft.com/en-us/library/cc771898.aspx
http://redmondmag.com/Articles/2004/01/01/The-Long-and-Short-of-Stub-Zones.aspx?Page=2

QUESTION 17
Hotspot Question
Your network contains an Active Director domain named contoso.com. The domain contains a file
server named Server1. All servers run Windows Server 2012 R2.
You have two user accounts named User1 and User2.
User1 and User2 are the members of a group named Group1.
User1 has the Department value set to Accounting, user2 has the Department value set to
Marketing.
Both users have the Employee Type value set to Contract Employee.
You create the auditing entry as shown in the exhibit. (Click the Exhibit button.)

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 21
http://www.braindump2go.com
To answer, complete each statement according to the information presented in the exhibit.
Each correct selection is worth one point.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 22
http://www.braindump2go.com
Explanation:
The Auditing Entry events for file access logs that match the misconfigured permissions and
carried out by a principal that satisfies both conditions for Sarah is the attribute Department with
the value marketing festgelgt.

The condition for the attribute department may have to be changed accordingly, so that their
deletions are logged. In order to monitor the opening of files, read access must be involved in the
monitoring.

QUESTION 18
Your network contains two servers named Server1 and Server2. Both servers run Windows
Server 2012 R2 and have the DNS Server server role installed. Server1 hosts a primary zone for
contoso.com. Server2 hosts a secondary zone for contoso.com. The zone is not configure to
notify secondary servers of changes automatically.
You update several records on Server1.
You need to force the replication of the contoso.com zone records from Server1 to Server2.
What should you do from Server2?

A. Right-click Server2 and click Update Server Data Files.


B. Right-click Server2 and click Refresh.
C. Right-click the contoso.com zone and click Reload.
D. Right-click the contoso.com zone and click Transfer from Master.

Answer: D
Explanation:
A. For standard primary zones, this procedure causes the DNS server to immediately write its in-
memory changes out to disk for storage with the zone file.
D. Initiates zone transfer from secondary server
http://technet.microsoft.com/en-us/library/cc786985(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc779391(v=ws.10).aspx

QUESTION 19
Your network contains an Active Directory domain named contoso.com. All servers run Windows
Server 2012 R2.
The network contains several group Managed Service Accounts that are used by four member
servers.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 23
http://www.braindump2go.com
You need to ensure that if a group Managed Service Account resets a password of a domain user
account, an audit entry is created.
You create a Group Policy object (GPO) named GPO1.
What should you do next?

A. In GPO1, configure the Advanced Audit Policy Configuration settings for Audit User Account
Management.
Link GPO1 to the Domain Controllers organizational unit (OU).
B. In GPO1, configure the Advanced Audit Policy Configuration settings for Audit User Account
Management.
Move the member servers to a new organizational unit (OU).
Link GPO1 to the new OU.
C. In GPO1, configure the Advanced Audit Policy Configuration settings for Audit Sensitive Privilege
Use.
Link GPO1 to the Domain Controllers organizational unit (OU).
D. In GPO1, configure the Advanced Audit Policy Configuration settings for Audit Sensitive Privilege
Use.
Move the member servers to a new organizational unit (OU).
Link GPO1 to the new OU.

Answer: A
Explanation:
Audit User Account Management
This security policy setting determines whether the operating system generates audit events
when the following user account management tasks are performed:
- A user account is created, changed, deleted, renamed, disabled,
enabled, locked out, or unlocked.
- A user account password is set or changed.
- Security identifier (SID) history is added to a user account.
- The Directory Services Restore Mode password is set.
- Permissions on accounts that are members of administrators groups are
changed.
- Credential Manager credentials are backed up or restored.
This policy setting is essential for tracking events that involve provisioning and managing
user accounts.

QUESTION 20
You have a DNS server named Server1 that has a Server Core Installation on Windows Server
2012 R2.
You need to view the time-to-live (TTL) value of a name server (NS) record that is cached by the
DNS Server service on Server1.
What should you run?

A. Show-DNSServerCache
B. dnscacheugc.exe
C. ipconfig.exe /displaydns
D. nslookup.exe

Answer: A
Explanation:
Show-DnsServerCache - Shows the records in a DNS Server Cache.
The Show-DNSServerCache shows all cached Domain Name System (DNS) server resource
records in the following format: Name, ResourceRecordData, Time-to-Live (TTL).

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 24
http://www.braindump2go.com
http://technet.microsoft.com/en-us/library/jj649915.aspx
http://www.windowsnetworking.com/articles_tutorials/Managing-DNS-servers-using-
PowerShell.html

QUESTION 21
Your network contains a single Active Directory domain named contoso.com.
The domain contains a domain controller named DC1 that hosts the primary DNS zone for
contoso.com.
All servers dynamically register their host names.
You install the new Web servers that host identical copies of your company's intranet website.
The servers are configured as shown in the following table.

You need to use DNS records to load balance name resolution queries for intranet.contoso.com
between the two Web servers.
What is the minimum number of DNS records that you should create manually?

A. 1
B. 3
C. 4
D. 6

Answer: B
Explanation:
To create DNS Host (A) Records for all internal pool servers
1. Click Stabrt, click All Programs, click Administrative Tools, and then click DNS.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 25
http://www.braindump2go.com
2. In DNS Manager, click the DNS Server that manages your records to expand it.
3. Click Forward Lookup Zones to expand it.
4. Right-click the DNS domain that you need to add records to, and then click New Host (A or
AAAA).
5. In the Name box, type the name of the host record (the domain name will be automatically
appended).
6. In the IP Address box, type the IP address of the individual Front End Server and then select
Create associated pointer (PTR) record or Allow any authenticated user to update.
DNS records with the same owner name, if applicable.
7. Continue creating records for all member Front End Servers that will participate in DNS Load
Balancing.
For example, if you had a pool named pool1.contoso.com and three Front End Servers, you
would create the following DNS entries:

http://technet.microsoft.com/en-us/library/cc772506.aspx
http://technet.microsoft.com/en-us/library/gg398251.aspx

QUESTION 22
You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the Remote
Access server role installed.
You need to configure the ports on Server1 to ensure that client computers can establish VPN
connections to Server1. The solution must NOT require the use of certificates or pre-shared keys.
What should you modify?
To answer, select the appropriate object in the answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 26
http://www.braindump2go.com
Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 27
http://www.braindump2go.com
Explanation:
The four types of tunneling protocols used with a VPN/RAS server running on Windows Server
2012 include:
Point-to-Point Tunneling Protocol (PPTP):
A VPN protocol based on the legacy Point-to-Point protocol used with modems.
The PPTP specification does not describeencryption or authentication features and relies on the
Point-to-Point Protocol being tunneled to implement security functionality.
Layer 2 Tunneling Protocol (L2TP): Used with IPsec to provide security.
L2TP supports either computer certificates or a preshared key as the authentication method for
IPsec. IKEv2: IKE is short for Internet Key Exchange, which is a tunneling protocol that uses
IPsec Tunnel Mode protocol. The message is encrypted with one of the following protocols by
using encryption keys that are generated from the IKEv2 negotiation process.
Secure Socket Tunneling Protocol (SSTP): Introduced with Windows Server 2008, which uses
the HTTPS protocol over TCP port 443 to pass traffic through firewalls
http://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol

QUESTION 23
Hotspot Question
You have a server named Servers that runs Windows Server 2012 R2. Servers has the Windows
Deployment Services server role installed.
Server5 contains several custom images of Windows 8.
You need to ensure that when 32-bit client computers start by using PXE, the computers
automatically install an image named Image 1.
What should you configure?
To answer, select the appropriate tab in the answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 28
http://www.braindump2go.com
Answer:

Explanation:
On the Register Client separate answer files can be stored for unattended installation for different
processor architectures

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 29
http://www.braindump2go.com
QUESTION 24
You have a cluster named Cluster1 that contains two nodes. Both nodes run Windows Server
2012 R2. Cluster1 hosts a virtual machine named VM1 that runs Windows Server 2012 R2.
You configure a custom service on VM1 named Service1.
You need to ensure that VM1 will be moved to a different node if Service1 fails.
Which cmdlet should you run on Cluster1?

A. Add-ClusterVmMonitoredItem
B. Add-ClusterGenericServiceRole
C. Set-ClusterResourceDependency
D. Enable VmResourceMetering

Answer: A
Explanation:
The Add-ClusterVMMonitoredItem cmdlet configures monitoring for a service or an Event

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 30
http://www.braindump2go.com
Tracing for Windows (ETW) event so that it is monitored on a virtual machine. If the service fails
or the event occurs, then the system responds by taking an action based on the failover
configuration for the virtual machine resource. For example, the configuration might specify that
the virtual machine be restarted.

QUESTION 25
Your company has a main office and a branch office.
The main office contains a server that hosts a Distributed File System (DFS) replicated folder.
You plan to implement a new DFS server in the branch office.
You need to recommend a solution that minimizes the amount of network bandwidth used to
perform the initial synchronization of the folder to the branch office.
You recommend using the Export-DfsrClone and Import-DfsrClonecmdlets.
Which additional command or cmdlet should you include in the recommendation?

A. Robocopy.exe
B. Synchost.exe
C. Export-BcCachePackage
D. Sync-DfsReplicationGroup

Answer: A
Explanation:
By preseeding files before you set up DFS Replication, add a new replication partner, or replace
a server, you can speed up initial synchronization and enable cloning of the DFS Replication
database in Windows Server 2012 R2. The Robocopy method is one of several preseeding
methods

QUESTION 26
Your network contains an Active Directory domain named contoso.com.
You have several Windows PowerShell scripts that execute when users log on to their client
computer.
You need to ensure that all of the scripts execute completely before the users can access their
desktop.
Which setting should you configure?
To answer, select the appropriate setting in the answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 31
http://www.braindump2go.com
Answer:

Explanation:
http://technet.microsoft.com/en-us/library/cc738773(v=ws.10).aspx
Run logon scripts synchronously
Directs the system to wait for logon scripts to finish running before it starts the Windows Explorer
interface program and creates the desktop.
If you enable this policy, Windows Explorer does not start until the logon scripts have finished
running. This setting assures that logon script processing is complete before the user starts
working, but it can delay the appearance of the desktop.
If you disable this policy or do not configure it, the logon scripts and Windows Explorer are not
synchronized and can run simultaneously.

QUESTION 27
Your network contains an Active Directory domain named contoso.com. All domain controllers
run Windows Server 2012 R2.
An organizational unit (OU) named OU1 contains 200 client computers that run Windows 8
Enterprise. A Group Policy object (GPO) named GPO1 is linked to OU1.
You make a change to GPO1.
You need to force all of the computers in OU1 to refresh their Group Policy settings immediately.
The solution must minimize administrative effort.
Which tool should you use?

A. Server Manager
B. Active Directory Users and Computers
C. The Gpupdate command
D. Group Policy Management Console (GPMC)

Answer: D
Explanation:
Starting with Windows Server 2012 and Windows 8, you can now remotely refresh Group Policy
settings for all computers in an OU from one central location through the Group Policy
Management Console (GPMC). Or you can use the Invoke- GPUpdatecmdlet to refresh Group
Policy for a set of computers, not limited to the OU structure, for example, if the computers are

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 32
http://www.braindump2go.com
located in the default computers container.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 33
http://www.braindump2go.com
http://technet.microsoft.com/en-us//library/jj134201.aspx
http://blogs.technet.com/b/grouppolicy/archive/2012/11/27/group-policy-in-windows-server-2012-
using-remote-gpupdate.aspx

QUESTION 28
Your network contains an Active Directory domain named contoso.com. Domain controllers run
either Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 R2.
You have a Password Settings object (PSOs) named PSO1.
You need to view the settings of PSO1.
Which tool should you use?

A. Group Policy Management


B. Server Manager
C. Get-ADAccountResultantPasswordReplicationPolicy
D. Active Directory Administrative Center

Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc770848(v=ws.10).aspx
Incorrect:
* Get-ADFineGrainedPasswordPolicy
Gets one or more Active Directory fine grained password policies.
* To store fine-grained password policies, Windows Server 2008 includes two new object classes
in the Active Directory Domain Services (AD DS) schema:
Password Settings Container
Password Settings
The Password Settings Container (PSC) object class is created by default under the System
container in the domain. It stores the Password Settings objects (PSOs) for that domain.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 34
http://www.braindump2go.com
QUESTION 29
Your network contains an Active Directory domain named contoso.com. The domain contains
more than 100 Group Policy objects (GPOs). Currently, there are no enforced GPOs.
You need to prevent all of the GPOs at the site level and at the domain level from being applied
to users and computers in an organizational unit (OU) named OU1.
You want to achieve this goal by using the minimum amount of Administrative effort.
What should you use?

A. dcgpofix
B. Get-GPOReport
C. Gpfixup
D. Gpresult
E. Gptedit.msc
F. Import-GPO
G. Import-GPO
H. Restore-GPO
I. Set-GPInheritance
J. Set-GPLink
K. Set-GPPermission
L. Gpupdate
M. Add-ADGroupMember

Answer: I
Explanation:
The cmdlet Set-GPInheritance enable or disable inheritance for a given organizational unit and
thus prevents GPOs that are linked to a higher level, are applied to the objects of being
surrounded OU.
The following call disables inheritance parent GPOs for OU CBTest the root of the domain:
Set-GPinheritance -target "ou = contosoTest, dc = contoso, dc = com" -IsBlocked Yes
http://technet.microsoft.com/en-us/library/ee461032.aspx
http://technet.microsoft.com/en-us/library/cc757050.aspx

QUESTION 30
Your network contains an Active Directory domain named contoso.com. The domain contains
more than 100 Group Policy objects (GPOs). Currently, there are no enforced GPOs.
You have two GPOs linked to an organizational unit (OU) named OU1.
You need to change the precedence order of the GPOs.
What should you use?

A. Dcgpofix
B. Get-GPOReport
C. Gpfixup
D. Gpresult
E. Gptedit.msc
F. Import-GPO
G. Restore-GPO
H. Set-GPInheritance
I. Set-GPLink
J. Set-GPPermission
K. Gpupdate

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 35
http://www.braindump2go.com
L. Add-ADGroupMember

Answer: I
Explanation:
The Set-GPLink cmdlet sets the properties of a GPO link.
You can set the following properties:
-- Enabled. If the GPO link is enabled, the settings of the GPO are applied when Group Policy is
processed for the site, domain or OU.
-- Enforced. If the GPO link is enforced, it cannot be blocked at a lower-level (in the Group Policy
processing hierarchy) container.
-- Order. The order specifies the precedence that the settings of the GPO take over conflicting
settings in other GPOs that are linked (and enabled) to the same site, domain, or OU.
http://technet.microsoft.com/en-us/library/ee461022.aspx

QUESTION 31
Your network contains an Active Directory domain named contoso.com. The domain contains
more than 100 Group Policy objects (GPOs). Currently, there are no enforced GPOs.
You need to provide an Administrator named Admin1 with the ability to create GPOs in the
domain. The solution must not provide Admin1 with the ability to link GPOs.
What should you use?

A. dcgpofix
B. Get-GPOReport
C. Gpfixup
D. Gpresult
E. Gptedit.msc
F. Import-GPO
G. Restore-GPO
H. Set-GPInheritance
I. Set-GPLink
J. Set-GPPermission
K. Gpupdate
L. Add-ADGroupMember

Answer: J
Explanation:
http://technet.microsoft.com/en-us/library/ee461038.aspx

QUESTION 32
Your network contains an Active Directory domain named contoso.com. The domain contains
more than 100 Group Policy objects (GPOs). Currently, there are no enforced GPOs. The domain
contains a GPO named GPO1. GPO1 contains several Group Policy preferences.
You need to view all of the preferences configured in GPO1.
What should you use?

A. dcgpofix
B. Get-GPOReport
C. Gpfixup
D. Gpresult
E. Gptedit.msc
F. Import-GPO

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 36
http://www.braindump2go.com
G. Restore-GPO
H. Set-GPInheritance
I. Set-GPLink
J. Set-GPPermission
K. Gpupdate
L. Add-ADGroupMember

Answer: B
Explanation:
The Get-GPOReport cmdlet generates a report in either XML or HTML format that describes
properties and policy settings for a specified GPO or for all GPOs in a domain. The information
that is reported for each GPO includes: details, links, security filtering, WMI filtering, delegation,
and computer and user configuration
http://technet.microsoft.com/en-us/library/ee461027.aspx
http://cmdlet.wordpress.com/2011/08/24/episode-3-get-gporeport

QUESTION 33
Your network contains an Active Directory domain named contoso.com. The domain contains
more than 100 Group Policy objects (GPOs). Currently, there are no enforced GPOs.
A network Administrator accidentally deletes the Default Domain Policy GPO.
You do not have a backup of any of the GPOs.
You need to recreate the Default Domain Policy GPO.
What should you use?

A. dcgpofix
B. Get-GPOReport
C. Gpfixup
D. Gptedit.msc
E. Import-GPO
F. Restore-GPO
G. Set-GPInheritance
H. Set-GPLink
I. Set-GPPermission
J. Gpupdate
K. Add-ADGroupMember

Answer: A
Explanation:
Restores the default Group Policy objects to their original state (that is, the default state after
initial installation).

QUESTION 34
Your network contains an Active Directory domain named contoso.com. The domain contains
more than 100 Group Policy objects (GPOs). Currently, there are no enforced GPOs. The domain
is renamed to adatum.com. Group Policies no longer function correctly.
You need to ensure that the existing GPOs are applied to users and computers.
You want to achieve this goal by using the minimum amount of Administrative effort.
What should you use?

A. dcgpofix
B. Get-GPOReport

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 37
http://www.braindump2go.com
C. Gpfixup
D. Gpresult
E. Gptedit.msc
F. Import-GPO
G. Restore-GPO
H. Set-GPInheritance
I. Set-GPLink
J. Set-GPPermission
K. Gpupdate
L. Add-ADGroupMember

Answer: C
Explanation:
You can use the gpfixup command-line tool to fix the dependencies that Group Policy objects
(GPOs) and Group Policy links in Active Directory Domain Services (AD DS) have on Domain
Name System (DNS) and NetBIOS names after a domain rename operation.

QUESTION 35
Your network contains an Active Directory domain named contoso.com. The domain contains
more than 100 Group Policy objects (GPOs). Currently, there are no enforced GPOs. The domain
contains a top-level organizational unit (OU) for each department. A group named Group1
contains members from each department.
You have a GPO named GPO1 that is linked to the domain.
You need to configure GPO1 to apply settings to Group1 only.
What should you use?

A. dcgpofix
B. Get-GPOReport
C. Gpfixup
D. Gpresult
E. Gptedit.msc
F. Import-GPO
G. Restore-GPO
H. Set-GPInheritance
I. Set-GPLink
J. Set-GPPermission
K. Gpupdate
L. Add-ADGroupMember

Answer: J
Explanation:
J. Set-GPPermission grants a level of permissions to a security principal (user, security group, or
computer) for one GPO or all the GPOs in a domain. You use the TargetName and TargetType
parameters to specify a user, security group, or computer for which to set the permission level.
-Replace <SwitchParameter>
Specifies that the existing permission level for the group or user is removed before the new
permission level is set. If a security principal is already granted a permission level that is higher
than the specified permission level and you do not use the Replace parameter, no change is
made. http://technet.microsoft.com/en-us/library/ee461038.aspx

QUESTION 36

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 38
http://www.braindump2go.com
Your network contains an Active Directory domain named contoso.com.
A user named User1 creates a central store and opens the Group Policy Management Editor as
shown in the exhibit.

You need to ensure that the default Administrative Templates appear in GPO1.
What should you do?

A. Link a WMI filter to GPO1.


B. Add User1 to the Group Policy Creator Owners group.
C. Configure Security Filtering in GPO1.
D. Copy files from %Windir%\PolicyDefinitions to the central store.

Answer: D
Explanation:
In earlier operating systems, all the default Administrative Template files are added to the ADM
folder of a Group Policy object (GPO) on a domain controller. The GPOs are stored in the
SYSVOL folder. The SYSVOL folder is automatically replicated to other domain controllers in the
same domain.
A policy file uses approximately 2 megabytes (MB) of hard disk space. Because each domain
controller stores a distinct version of a policy, replication traffic is increased.
In Group Policy for Windows Server 2008 and Windows Vista, if you change Administrative
template policy settings on local computers, Sysvol will not be automatically updated with the
new .ADMX or .ADML files. This change in behavior is implemented to reduce network load and
disk storage requirements, and to prevent conflicts between .ADMX files and. ADML files when
edits to Administrative template policy settings are made across different locales. To make sure
that any local updates are reflected in Sysvol, you must manually copy the updated .ADMX
or .ADML files from the PolicyDefinitions file on the local computer to the Sysvol\PolicyDefinitions
folder on the appropriate domain controller.
To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL
folder on a domain controller. The Central Store is a file location that is checked by the Group
Policy tools. The Group Policy tools use any .admx files that are in the Central Store. The files
that are in the Central Store are later replicated to all domain controllers in the domain.
To create a Central Store for .admx and .adml files, create a folder that is named
PolicyDefinitions in the following location:
\\FQDN\SYSVOL\FQDN\policies

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 39
http://www.braindump2go.com
http://support.microsoft.com/kb/929841

QUESTION 37
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs Windows Server 2012 P.2. Server1 has the Network Policy and
Access Services server role installed.
Your company's security policy requires that certificate-based authentication must be used by
some network services.
You need to identify which Network Policy Server (NPS) authentication methods comply with the
security policy.
Which two authentication methods should you identify?
(Each correct answer presents part of the solution. Choose two.)

A. MS-CHAP
B. PEAP-MS-CHAP v2
C. Chap
D. EAP-TLS
E. MS-CHAP v2

Answer: BD
Explanation:
PEAP is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a
secure TLS tunnel to protect user authentication, and uses server- side public key certificates to
authenticate the server. When you use EAP with a strong EAP type, such as TLS with smart
cards or TLS with certificates, both the client and the server use certificates to verify their
identities to each other.

QUESTION 38
You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the Windows
Deployment Services server role installed.
Server1 contains two boot images and four install images.
You need to ensure that when a computer starts from PXE, the available operating system
images appear in a specific order.
What should you do?

A. Modify the properties of the boot images.


B. Create a new image group.
C. Modify the properties of the install images.
D. Modify the PXE Response Policy.

Answer: C
Explanation:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 40
http://www.braindump2go.com
installation images are the operating system images that you deploy to the client computer. Start
images are the images with which you start a client computer to perform an operating system
installation. Boot images contain Windows PE and the Windows Deployment Services client.
The order of the display of images can about the value of priority on the register general are
controlled in the properties of the images:

QUESTION 39
Your network contains an Active Directory domain named contoso.com. Domain controllers run
either Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 R2.
You have a Password Settings object (PSOs) named PSO1.
You need to view the settings of PSO1.
Which tool should you use?

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 41
http://www.braindump2go.com
A. Get-ADFineGrainedPasswordPolicy
B. Get-ADAccountResultantPasswordReplicationPolicy
C. Get-ADDomainControllerPasswordReplicationPolicy
D. Get-ADDefaultDomainPasswordPolicy

Answer: A
Explanation:
A. Gets one or more Active Directory fine grained password policies.
B. Gets the resultant password replication policy for an Active Directory account.
C. Gets the members of the allowed list or denied list of a read-only domain controller's password
replication policy
D. Gets the default password policy for an Active Directory domain.
http://technet.microsoft.com/en-us/library/ee617231.aspx
ttp://technet.microsoft.com/en-us/library/ee617227.aspx
http://technet.microsoft.com/en-us/library/ee617207.aspx
http://technet.microsoft.com/en-us/library/ee617244.aspx

QUESTION 40
You have a failover cluster that contains five nodes. All of the nodes run Windows Server 2012
R2. All of the nodes have BitLocker Drive Encryption (BitLocker) enabled.
You enable BitLocker on a Cluster Shared Volume (CSV).
You need to ensure that all of the cluster nodes can access the CSV.
Which cmdlet should you run next?

A. Unblock-Tpm
B. Add-BitLockerKeyProtector
C. Remove-BitLockerKeyProtector
D. Enable BitLockerAutoUnlock

Answer: B
Explanation:
Add an Active Directory Security Identifier (SID) to the CSV disk using the Cluster Name Object
(CNO) The Active Directory protector is a domain security identifier (SID) based protector for
protecting clustered volumes held within the Active Directory infrastructure. It can be bound to a
user account, machine account or group. When an unlock request is made for a protected
volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect
APIs to unlock or deny the request.
For the cluster service to selfmanage BitLocker enabled disk volumes, an administrator must add
the Cluster Name Object (CNO), which is the Active Directory identity associated with the Cluster
Network name, as a BitLocker protector to the target disk volumes.
Add-BitLockerKeyProtector <drive letter or CSV mount point> -
ADAccountOrGroupProtector - ADAccountOrGroup $cno

QUESTION 41
Hotspot Question
You have a file server named Server1 that runs Windows Server 2012 R2.
A user named User1 is assigned the modify NTFS permission to a folder named C:\shares and all
of the subfolders of C:\shares.
On Server1, you open File Server Resource Manager as shown in the exhibit. (Click the Exhibit
button.)

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 42
http://www.braindump2go.com
To answer, complete each statement according to the information presented in the exhibit.
Each correct selection is worth one point.

Answer:

Explanation:
You can create file screens to prevent files that belong to particular file groups are saved on a
volume or in a folder structure. A file screen affects all folders in the specified path. For example,
you can create a file screen to prevent users from storing audio and video files in their personal

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 43
http://www.braindump2go.com
folders on the server. You can also Resource Manager File Server configure that it sends e-mail
or other notifications when a certain file screening event occurs.
A file screen can be active or passive:

Active checks prevent users from saving unauthorized file types on the server.
In passive checks users are monitored, save certain file types, and configured notifications
generated, users are not prevented from saving the files.

A file screen prevents users and applications not from accessing files that were saved in a
directory before the file screen was created - regardless of whether the files belong to the blocked
file groups or not. In the folder C: \ Data1 can no audio and video files and any image files are
stored. Because except for image files to the directory C: \ Data1 \ Folder1 image files any audio
and video files can be stored in this folder while but.

QUESTION 42
Your network contains an Active Directory domain named contoso.com. The domain contains 30
user accounts that are used for network administration. The user accounts are members of a
domain global group named Group1.
You identify the security requirements for the 30 user accounts as shown in the following table.

You need to identify which settings must be implemented by using a Password Settings object
(PSO) and which settings must be implemented by modifying the properties of the user accounts.
What should you identify?

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 44
http://www.braindump2go.com
Explanation:
With the settings Account is sensitive and can not be delegated, and users can not change
password is account options on the Register account can be activated in the properties of user
accounts. In the settings Minimum password length and enforce password history is it to
password policies that can be configured as part of a PSO object.

QUESTION 43
Your network contains an Active Directory domain named contoso.com. The domain contains a
virtual machine named Server1 that runs Windows Server 2012 R2.
Server1 has a dynamically expanding virtual hard disk that is mounted to drive E.
You need to ensure that you can enable BitLocker Drive Encryption (BitLocker) on drive E.
Which command should you run?

A. manage-bde -protectors -add c: -startup e:


B. manage-bde -lock e:
C. manage-bde -protectors -add e: -startupkey c:
D. manage-bde -on e:

Answer: D
Explanation:
Manage-bde: on
Encrypts the drive and turns on BitLocker.
Example:
The following example illustrates using the -on command to turn on BitLocker for drive C and add
a recovery password to the drive.
manage-bde -on C: -recoverypassword

QUESTION 44
Hotspot Question
Your network contains 25 Web servers that run Windows Server 2012 R2.
You need to configure auditing policies that meet the following requirements:

- Generate an event each time a new process is created.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 45
http://www.braindump2go.com
- Generate an event each time a user attempts to access a file share.

Which two auditing policies should you configure?


To answer, select the appropriate two auditing policies in the answer area.

Answer:

Explanation:
* Audit Object Access
Determines whether to audit the event of a user accessing an object (for example, file, folder,
registry key, printer, and so forth) which has its own system access control list (SACL) specified.
* Audit Process Tracking
Determines whether to audit detailed tracking information for events such as program activation,
process exit, handle duplication, and indirect object access.
Reference: Audit object access

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 46
http://www.braindump2go.com
https://technet.microsoft.com/en-us/library/cc976403.aspx
Reference: Audit Process Tracking
https://technet.microsoft.com/en-us/library/cc976411.aspx

QUESTION 45
Your network contains an Active Directory domain named contoso.com. All domain controllers
run Windows Server 2012 R2.
You have a Group Policy object (GPO) named GPO1 that contains hundreds of settings. GPO1 is
linked to an organizational unit (OU) named OU1. OU1 contains 200 client computers.
You plan to unlink GPO1 from OU1.
You need to identify which GPO settings will be removed from the computers after GPO1 is
unlinked from OU1.
Which two GPO settings should you identify?
(Each correct answer presents part of the solution. Choose two.)

A. The managed Administrative Template settings


B. The unmanaged Administrative Template settings
C. The System Services security settings
D. The Event Log security settings
E. The Restricted Groups security settings

Answer: AE
Explanation:
http://technet.microsoft.com/en-us/library/cc778402(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/bb964258.aspx
There are two kinds of Administrative Template policy settings: Managed and Unmanaged .
The Group Policy service governs Managed policy settings and removes a policy setting when it
is no longer within scope of the user or computer.

QUESTION 46
Your network contains an Active Directory domain named contoso.com. The domain contains an
organizational unit (OU) named IT and a CU named Sales. All of the help desk user accounts are
located in the IT CU. All of the sales user accounts are located in the Sales CU. The Sales CU
contains a global security group named G_Sales. The IT CU contains a global security group
named G_HelpDesk.
You need to ensure that members of G_HelpDesk can perform the following tasks:

- Reset the passwords of the sales users.


- Force the sales users to change their password at their next logon.

What should you do?

A. Run the Set-ADFinecrainedPasswordPolicy cmdlet and specify the -identity parameter.


B. Right-click the IT OU and select Delegate Control.
C. Right-click the Sales OU and select Delegate Control.
D. Run the Set-ADAccountPassword cmdlet and specify the -identity parameter.

Answer: C
Explanation:
B. Wrong OU. Question asks for G_HelpDesk member to be able to delegate control of sales
users/force reset
C. G_HelpDesk members need to be allowed to delegate control on the Sales OU as it contains

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 47
http://www.braindump2go.com
the sales users (G_Sales)
http://technet.microsoft.com/en-us/library/cc732524.aspx

QUESTION 47
Your network contains an Active Directory domain named contoso.com. The domain contains five
servers. The servers are configured as shown in the following table.

All desktop computers in contoso.com run Windows 8 and are configured to use BitLocker Drive
Encryption (BitLocker) on all local disk drives.
You need to deploy the Network Unlock feature.
The solution must minimize the number of features and server roles installed on the network.
To which server should you deploy the feature?

A. Server1
B. Server2
C. Server3
D. Server4
E. Server5

Answer: E
Explanation:
The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you
want to install it separately before you install BitLocker Network Unlock you can use Server
Manager or Windows PowerShell. To install the role using Server Manager, select the Windows
Deployment Services role in Server Manager.

QUESTION 48
Hotspot Question
Your network contains an Active Directory domain named contoso.com.
You create an organizational unit (OU) named OU1 and a Group Policy object (GPO) named
GPO1. You link GPO1 to OU1.
You move several file servers that store sensitive company documents to OU1.
Each file server contains more than 40 shared folders.
You need to audit all of the failed attempts to access the files on the file servers in OU1.
The solution must minimize administrative effort.
Which two audit policies should you configure in GPO1?
To answer, select the appropriate two objects in the answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 48
http://www.braindump2go.com
Answer:

Explanation:
The figure shows the categories of Advanced Audit Policy Configuration. The basic settings for
the Safeguards Policies under Security Settings \ Local Policies \ Audit Policy and the
advanced settings for the Safeguards Policies under Security Settings \ Advanced Audit
Policy Configuration \ System Audit Policies appear to overlap, but they are recorded and
applied differently . Under Security Settings \ Local Policies \ Audit Policy, there are nine
basic audit policy settings under Advanced Audit Policy Configuration 53 Settings.

The settings under Security Settings \ Advanced Audit Policy Configuration \ System Audit
Policies are available, refer to similar areas as the basic nine settings \ Local Policies Audit
Policy, however, administrators have more choices when it comes to the number and types of

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 49
http://www.braindump2go.com
the monitored events. Where the basic audit policy e. g. provides a single setting for account
registration, are available in the extended audit policy four.

The activation of the single basic account logon setting is equivalent to the activation of all four
advanced account logon settings. In comparison, no audit events for activities when you specify a
single set advanced audit policy, created in which you are not interested. If you success auditing
for the basic setting Audit account logon activate, also just a sense of achievement for all account
logon-related behaviors are logged. For an extended account logon setting, you can however
configure success auditing for a second advanced account logon setting, fault monitoring and for
a third advanced account logon settings success and failure - or no monitoring, depending on the
requirements of the organization.

The nine basic settings under Security Settings \ Local Policies \ Audit Policy were introduced in
Windows 2000 and are therefore available for all versions of Windows since published. The
advanced audit policy settings were introduced in Windows Vista and Windows Server of 2008.
The advanced settings can only be used on computers running Windows 7, Windows Vista,
Windows Server 2008 R2 or Windows Server 2008 is running.

QUESTION 49
Your network contains an Active Directory domain named contoso.com.
All domain controllers run Windows Server 2012 R2.
The domain contains 500 client computers that run Windows 8 Enterprise.
You implement a Group Policy central store.
You have an application named App1. App1 requires that a custom registry setting be deployed
to all of the computers.
You need to deploy the custom registry setting. The solution must minimize administrator effort.
What should you configure in a Group Policy object (GPO)?

A. The Software Installation settings


B. The Administrative Templates
C. An application control policy
D. The Group Policy preferences

Answer: D
Explanation:
Group Policy preferences provide the means to simplify deployment and standardize
configurations. They add to Group Policy a centralized system for deploying preferences (that is,
settings that users can change later).
You can also use Group Policy preferences to configure applications that are not Group Policy-
aware. By using Group Policy preferences, you can change or delete almost any registry setting,
file or folder, shortcut, and more.
You are not limited by the contents of Administrative Template files.
The Group Policy Management Editor (GPME) includes Group Policy preferences.
http://technet.microsoft.com/en-us/library/gg699429.aspx
http://www.unidesk.com/blog/gpos-set-custom-registry-entries-virtual-desktops-disabling-
machine-password

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 50
http://www.braindump2go.com
QUESTION 50
You have a file server that has the File Server Resource Manager role service installed.
You open the File Server Resource Manager console as shown in the exhibit. (Click the Exhibit
button.)

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 51
http://www.braindump2go.com
You need to ensure that all of the folders in Folder1 have a 100-MB quota limit.
What should you do?

A. Run the Update FsrmQuotacmdlet.


B. Run the Update-FsrmAutoQuotacmdlet.
C. Create a new quota for Folder1.
D. Modify the quota properties of Folder1.

Answer: C
Explanation:
By using auto apply quotas, you can assign a quota template to a parent volume or folder. Then
File Server Resource Manager automatically generates quotas that are based on that template.
Quotas are generated for each of the existing subfolders and for subfolders that you create in the
future.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 52
http://www.braindump2go.com
http://technet.microsoft.com/en-us/library/cc731577.aspx

QUESTION 51
You have a server named Server 1.
You enable BitLocker Drive Encryption (BitLocker) on Server 1.
You need to change the password for the Trusted Platform Module (TPM) chip.
What should you run on Server1?

A. Manage-bde.exe
B. Set-TpmOwnerAuth
C. bdehdcfg.exe
D. tpmvscmgr.exe

Answer: B
Explanation:
The Set-TpmOwnerAuthcmdlet changes the current owner authorization value of the Trusted
Platform Module (TPM) to a new value.
You can specify the current owner authorization value or specify a file that contains the current
owner authorization value. If you do not specify an owner authorization value, the cmdlet attempts
to read the value from the registry.
Use the ConvertTo-TpmOwnerAuthcmdlet to create an owner authorization value.
You can specify a new owner authorization value or specify a file that contains the new value.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 53
http://www.braindump2go.com
QUESTION 52
Your company has a main office and two branch offices. The main office is located in Seattle.
The two branch offices are located in Montreal and Miami.
Each office is configured as an Active Directory site.
The network contains an Active Directory domain named contoso.com.
Network traffic is not routed between the Montreal office and the Miami office.
You implement a Distributed File System (DFS) namespace named \\contoso.com\public.
The namespace contains a folder named Folder1. Folder1 has a folder target in each office.
You need to configure DFS to ensure that users in the branch offices only receive referrals to the
target in their respective office or to the target in the main office.
Which two actions should you perform?
(Each correct answer presents part of the solution. Choose two.)

A. Set the Ordering method of \\contoso.com\public to Random order.


B. Set the Advanced properties of the folder target in the Seattle office to Last among all targets.
C. Set the Advanced properties of the folder target in the Seattle office to First among targets of
equal cost.
D. Set the Ordering method of \\contoso.com\public to Exclude targets outside of the client's site.
E. Set the Advanced properties of the folder target in the Seattle office to Last among targets of
equal cost.
F. Set the Ordering method of \\contoso.com\public to Lowest cost.

Answer: CD
Explanation:
Exclude targets outside of the client's site In this method, the referral contains only the targets
that are in the same site as the client. These same-site targets are listed in random order. If no
same-site targets exist, the client does not receive a referral and cannot access that portion of the
namespace. Note: Targets that have target priority set to "First among all targets" or "Last among
all targets" are still listed in the referral, even if the ordering method is set to Exclude targets
outside of the client's site .
Note 2: Set the Ordering Method for Targets in Referrals A referral is an ordered list of targets
that a client computer receives from a domain controller or namespace server when the user
accesses a namespace root or folder with targets. After the client receives the referral, the client
attempts to access the first target in the list. If the target is not available, the client attempts to
access the next target.

QUESTION 53
Hotspot Question
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that has the Network Policy Server server role installed. The domain
contains a server named Server2 that is configured for RADIUS accounting.
Server1 is configured as a VPN server and is configured to forward authentication requests to
Server2.
You need to ensure that only Server2 contains event information about authentication requests
from connections to Server1.

Which two nodes should you configure from the Network Policy Server console?
To answer, select the appropriate two nodes in the answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 54
http://www.braindump2go.com
Answer:

Explanation:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 55
http://www.braindump2go.com
In the properties of the Network Policy Server logging of rejected and successful authentication
requests can be disabled: Using connection request policies can be defined, whether connection
requests are processed locally or forwarded to a remote RADIUS server.

QUESTION 54
Your network contains an Active Directory domain named contoso.com. All domain controllers
run Windows Server 2012 R2. An organizational unit (OU) named OU1 contains 200 client
computers that run Windows 8 Enterprise. A Group Policy object (GPO) named GPO1 is linked to
OU1.
You make a change to GPO1.
You need to force all of the computers in OU1 to refresh their Group Policy settings immediately.
The solution must minimize administrative effort.
Which tool should you use?

A. Group Policy Object Editor


B. The Secedit command
C. Group Policy Management Console (GPMC)
D. Active Directory Users and Computers

Answer: C
Explanation:
In the previous versions of Windows, this was accomplished by having the user run
GPUpdate.exe on their computer.
Starting with Windows Server?2012 and Windows?8, you can now remotely refresh Group Policy
settings for all computers in an OU from one central location through the Group Policy
Management Console (GPMC). Or you can use the Invoke-GPUpdate cmdlet to refresh Group
Policy for a set of computers, not limited to the OU structure, for example, if the computers are
located in the default computers container.
Note: Group Policy Management Console (GPMC) is a scriptable Microsoft Management Console
(MMC) snap-in, providing a single administrative tool for managing Group Policy across the
enterprise. GPMC is the standard tool for managing Group Policy.
Incorrect:
Not B: Secedit configures and analyzes system security by comparing your current configuration
to at least one template.
Reference: Force a Remote Group Policy Refresh (GPUpdate)

QUESTION 55
Hotspot Question
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs Windows Server 2012 R2.
Server1 has the following BitLocker Drive Encryption (BitLocker) settings:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 56
http://www.braindump2go.com
You need to ensure that drive D will unlock automatically when Server1 restarts. What command
should you run?
To answer, select the appropriate options in the answer area.

Answer:

Explanation:
If BitLocker is enabled on the operating system drive, you can admit when you turn on BitLocker
for an integrated data drive that the drive is automatically unlocked when the operating system
drive is unlocked.
The available parameters are part of the cmdlet Add-BitLockerKeyProtector.
The parameter -ADAccountOrGroupProtector the encryption key can be added to a domain
account as a protector.

QUESTION 56
Your network contains an Active Directory domain named contoso.com. The domain contains a
member server named Server1. All servers run Windows Server 2012 R2.
You need to collect the error events from all of the servers on Server1. The solution must ensure
that when new servers are added to the domain, their error events are collected automatically on
Server1.
Which two actions should you perform?
(Each correct answer presents part of the solution.
Choose two.)

A. On Server1, create a collector initiated subscription.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 57
http://www.braindump2go.com
B. On Server1, create a source computer initiated subscription.
C. From a Group Policy object (GPO), configure the Configure target Subscription Manager setting.
D. From a Group Policy object (GPO), configure the Configure forwarder resource usage setting.

Answer: BC
Explanation:
To set up a Source-Initiated Subscription with Windows Server 2003/2008 so that events of
interest from the Security event log of several domain controllers can be forwarded to an
administrative workstation
* Group Policy
The forwarding computer needs to be configured with the address of the server to which the
events are forwarded. This can be done with the following group policy setting:
Computer configuration-Administrative templates-Windows components-Event forwarding-
Configure the server address, refresh interval, and issue certificate authority of a target
subscription manager.
* Edit the GPO and browse to Computer Configuration | Policies | Administrative Templates
| Windows Components | Event Forwarding - Configure the server address, refresh interval, and
issuer certificate authority of a target Subscription Manager

QUESTION 57
QUESTION 350
Hotspot Question
Your company has two offices. The offices are located in Montreal and Seattle.
The network contains an Active Directory domain named contoso.com. The domain contains
servers named Server1 and Server2. Server1 is located in the Seattle office. Server2 is located in
the Montreal office. Both servers run Windows Server 2012 R2 and have the Windows Server
Update Services (WSUS) server role installed.
You need to configure Server2 to download updates that are approved on Server1 only.
What cmdlet should you run?
To answer, select the appropriate options in the answer area.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 58
http://www.braindump2go.com
Explanation:
With the cmdlet Set-WsusServerSynchronization can be determined whether a Windows
Server Update Services (WSUS) server updates synchronized from Microsoft Update or from an
upstream server.
The parameter -UssServerName server name indicates that you want to synchronize from the
specified upstream server.
The Parameter -Replica configures the Windows Server Update Services (WSUS) for the replica
mode.

QUESTION 58
You have a server named Server1 that runs Windows Server 2012 R2.
Server1 has the File Server Resource Manager role service installed.
Each time a user receives an access-denied message after attempting to access a folder on
Server1, an email notification is sent to a distribution list named DL1.
You create a folder named Folder1 on Server1, and then you configure custom NTFS
permissions for Folder 1.
You need to ensure that when a user receives an access-denied message while attempting to
access Folder1, an email notification is sent to a distribution list named DL2.
The solution must not prevent DL1 from receiving notifications about other access-denied
messages.
What should you do?

A. From File Explorer, modify the Classification tab of Folder1.


B. From the File Server Resource Manager console, modify the Email Notifications settings.
C. From the File Server Resource Manager console, set a folder management property.
D. From File Explorer, modify the Customize tab of Folder1.

Answer: B
Explanation:
When using the email model each of the file shares, you can determine whether access requests
to each file share will be received by the administrator, a distribution list that represents the file
share owners, or both.
The owner distribution list is configured by using the SMB Share - Advanced file share profile in
the New Share Wizard in Server Manager.
http://technet.microsoft.com/en-us/library/jj574182.aspx#BKMK_12

QUESTION 59
Drag and Drop Question
You have a WIM file that contains an image of Windows Server 2012 R2.
Recently, a technician applied a Microsoft Standalone Update Package (MSU) to the image.
You need to remove the MSU package from the image.
Which three actions should you perform in sequence?
To answer, move the appropriate three actions from the list of actions to the answer area and
arrange them in the correct order.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 59
http://www.braindump2go.com
Answer:

QUESTION 60
Your network contains an Active Directory domain named contoso.com. All domain controllers
run Windows Server 2012 R2. A domain controller named DC1 has the ADMX Migrator tool
installed.
You have a custom Administrative Template file on DC1 named Template1.adm.
You need to add a custom registry entry to Template1.adm by using the ADMX Migrator tool.
Which action should you run first?

A. New Category
B. Load Template
C. New Policy Setting
D. Generate ADMX from ADM

Answer: D
Explanation:
A. Done after ADMX is created, adds categories of policy settings

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 60
http://www.braindump2go.com
B. Done after ADMX is created, Loads ADMX template to be edited
C. Done after ADMX is created, defines new registry-based policy settings
D. Coverts ADM files into ADMX (XML Format)
http://technet.microsoft.com/en-us/magazine/2008.02.utilityspotlight.aspx

QUESTION 61
Hotspot Question
Your network contains an Active Directory named contoso.com.
You have users named User1 and user2.
The Network Access Permission for User1 is set to Control access through NPS Network Policy.
The Network Access Permission for User2 is set to Allow access.
A policy named Policy1 is shown in the Policy1 exhibit. (Click the Exhibit button.)

A policy named Policy2 is shown in the Policy2 exhibit. (Click the Exhibit button.)

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 61
http://www.braindump2go.com
A policy named Policy3 is shown in the Policy3 exhibit. (Click the Exhibit button.)

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 62
http://www.braindump2go.com
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Each correct selection is worth one point.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 63
http://www.braindump2go.com
Answer:

QUESTION 62
Drag and Drop Question
Your network contains an Active Directory domain named adatum.com. The domain contains a
server named Server1 that runs Windows Server 2012 R2. Server1 is configured as a Network
Policy Server (NPS) server and as a DHCP server.
You need to log all DHCP clients that have windows Firewall disabled.
Which three actions should you perform in sequence?
To answer, move the three appropriate actions from the list of actions to the answer area and
arrange them in the correct order.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 64
http://www.braindump2go.com
Explanation:
http://technet.microsoft.com/es-es/library/dd314198%28v=ws.10%29.aspx
http://technet.microsoft.com/es-es/magazine/2009.05.goat.aspx
http://technet.microsoft.com/es-es/library/dd314173%28v=ws.10%29.aspx
http://ripusudan.wordpress.com/2013/03/19/how-to-configure-nap-enforcement-for-dhcp/
http://technet.microsoft.com/es-es/magazine/2009.05.goat.aspx
http://technet.microsoft.com/en-us/library/dd125379%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc772356%28v=ws.10%29.aspx

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 65
http://www.braindump2go.com
QUESTION 63
Your network contains an Active Directory domain named contoso.com.
You have several Windows PowerShell scripts that execute when client computers start. When a
client computer starts, you discover that it takes a long time before users are prompted to log on.
You need to reduce the amount of time it takes for the client computers to start. The solution must
not prevent scripts from completing successfully.
Which setting should you configure? To answer, select the appropriate setting in the answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 66
http://www.braindump2go.com
Answer:

Explanation:
Lets the system run startup scripts simultaneously rather than waiting for each to finish
http://technet.microsoft.com/en-us/library/cc939423.aspx

QUESTION 64
Drag and Drop Question
You are a network administrator of an Active Directory domain named contoso.com.
You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the Web
Server (IIS) server role installed. Server1 will host a web site at URL https:// secure.contoso.com.
The application pool identity account of the web site will be set to a domain user account named
AppPool1.
You need to identify the setspn.exe command that you must run to configure the appropriate
Service Principal Name (SPN) for the web site.
What should you run? To answer, drag the appropriate objects to the correct location. Each
object may be used once, more than once, or not at all.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 67
http://www.braindump2go.com
Answer:

Explanation:
Note:
* -s <SPN>
Adds the specified SPN for the computer, after verifying that no duplicates exist.
Usage: setspn -s SPN accountname
For example, to register SPN "http/daserver" for computer "daserver1":
setspn -S http/daserver daserver1
http://technet.microsoft.com/en-us/library/cc731241(v=ws.10).aspx

QUESTION 65
Your network contains a server named Server1 that has the Network Policy and Access Services
server role installed.
All of the network access servers forward connection requests to Server1.
You create a new network policy on Server1.
You need to ensure that the new policy applies only to connection requests from the
192.168.0.0/24 subnet.
What should you do?

A. Set the Client IP4 Address condition to 192.168.0.0/24.


B. Set the Client IP4 Address condition to 192.168.0.
C. Set the Called Station ID constraint to 192.168.0.0/24.
D. Set the Called Station ID constraint to 192.168.0.

Answer: B
Explanation:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 68
http://www.braindump2go.com
Called Station ID condition specifies the network access server telephone number dialed by
access client.
Client IPv4 Address condition specifies the Internet Protocol (IP) version 4 address of the
RADIUS client that forwarded the connection request to the NPS server.

QUESTION 66
Your network contains an Active Directory domain named contoso.com. All domain controllers
run Windows Server 2012 R2. The domain contains 500 client computers that run Windows 8
Enterprise.
You implement a Group Policy central store.
You have an application named Appl. Appl requires that a custom registry setting be deployed to
all of the computers.
You need to deploy the custom registry setting. The solution must minimize administrator effort.
What should you configure in a Group Policy object (GPO)?

A. The Administrative Templates


B. An application control policy
C. The Group Policy preferences
D. Software installation setting

Answer: C
Explanation:
Group Policy preferences provide the means to simplify deployment and standardize
configurations. They add to Group Policy a centralized system for deploying preferences (that is,
settings that users can change later).
You can also use Group Policy preferences to configure applications that are not Group Policy-
aware. By using Group Policy preferences, you can change or delete almost any registry setting,
file or folder, shortcut, and more.
You are not limited by the contents of Administrative Template files.
The Group Policy Management Editor (GPME) includes Group Policy preferences.
http://technet.microsoft.com/en-us/library/gg699429.aspx
http://www.unidesk.com/blog/gpos-set-custom-registry-entries-virtual-desktops-disabling-
machine-password

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 69
http://www.braindump2go.com
QUESTION 67
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named NPS1 that has the Network Policy Server server role installed. All servers run
Windows Server 2012 R2.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 70
http://www.braindump2go.com
You install the Remote Access server role on 10 servers.
You need to ensure that all of the Remote Access servers use the same network policies.
Which two actions should you perform?
(Each correct answer presents part of the solution.
Choose two.)

A. Configure each Remote Access server to use the Routing and Remote Access service (RRAS) to
authenticate connection requests.
B. On NPS1, create a remote RADIUS server group.
Add all of the Remote Access servers to the remote RADIUS server group.
C. On NPS1, create a new connection request policy and add a Tunnel-Type and a Service-Type
condition.
D. Configure each Remote Access server to use a RADIUS server named NPS1.
E. On NPS1, create a RADIUS client template and use the template to create RADIUS clients.

Answer: CD
Explanation:
Connection request policies are sets of conditions and settings that allow network administrators
to designate which RADIUS servers perform the authentication and authorization of connection
requests that the server running Network Policy Server (NPS) receives from RADIUS clients.
Connection request policies can be configured to designate which RADIUS servers are used for
RADIUS accounting.
When you configure Network Policy Server (NPS) as a Remote Authentication Dial-In User
Service (RADIUS) proxy, you use NPS to forward connection requests to RADIUS servers that
are capable of processing the connection requests because they can perform authentication and
authorization in the domain where the user or computer account is located. For example, if you
want to forward connection requests to one or more RADIUS servers in untrusted domains, you
can configure NPS as a RADIUS proxy to forward the requests to the remote RADIUS servers in
the untrusted domain.
To configure NPS as a RADIUS proxy, you must create a connection request policy that contains
all of the information required for NPS to evaluate which messages to forward and where to send
the messages.
http://technet.microsoft.com/en-us/library/cc730866(v=ws.10).aspx

QUESTION 68
Your network contains an Active Directory domain named contoso.com. The domain contains a
domain controller named DC1 that runs Windows Server 2012 R2.
You create an Active Directory snapshot of DC1 each day.
You need to view the contents of an Active Directory snapshot from two days ago.
What should you do first?

A. Run the dsamain.exe command.


B. Stop the Active Directory Domain Services (AD DS) service.
C. Run the ntdsutil.exe command.
D. Start the Volume Shadow Copy Service (VSS).

Answer: C
Explanation:
After you create and mount a snapshot, you can run Dsamain.exe to expose the AD DS or AD
LDS data in the snapshot
https://technet.microsoft.com/en-us/library/cc753609(v=ws.10).aspx
ntdsutil first
dsamain after

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 71
http://www.braindump2go.com
QUESTION 69
Your network contains an Active Directory domain named adatum.com. All domain controllers run
Windows Server 2012 R2. The domain contains a virtual machine named DC2.
On DC2, you run Get-ADDCCloningExcludedApplicationList and receive the output shown in the
following table.

You need to ensure that you can clone DC2.


Which two actions should you perform?
(Each correct answer presents part of the solution. Choose two.)

A. Option A
B. Option B
C. Option C
D. Option D
E. Option E

Answer: AE

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 72
http://www.braindump2go.com
Explanation:
Because domain controllers provide a distributed environment, you could not safely clone an
Active Directory domain controller in the past.
Before, if you cloned any server, the server would end up with the same domain or forest, which
is unsupported with the same domain or forest. You would then have to run sysprep, which would
remove the unique security information before cloning and then promote a domain controller
manually. When you clone a domain controller, you perform safe cloning, which a cloned domain
controller automatically runs a subset of the sysprep process and promotes the server to a
domain controller automatically.
The four primary steps to deploy a cloned virtualized domain controller are as follows:
- Grant the source virtualized domain controller the permission to be cloned by adding the source
virtualized domain controller to the Cloneable Domain Controllers group.
- Run Get-ADDCCloningExcludedApplicationListcmdlet in Windows PowerShell to determine
which services and applications on the domain controller are not compatible with the cloning.
- Run New-ADDCCloneConfigFile to create the clone configuration file, which is stored in the
C:\Windows\NTDS.
- In Hyper-V, export and then import the virtual machine of the source domain controller.
Run Get-ADDCCloningExcludedApplicationListcmdlet In this procedure, run the Get-
ADDCCloningExcludedApplicationListcmdlet on the source virtualized domain controller to
identify any programs or services that are not evaluated for cloning. You need to run the Get-
ADDCCloningExcludedApplicationListcmdlet before the New- ADDCCloneConfigFilecmdlet
because if the New- ADDCCloneConfigFilecmdlet detects an excluded application, it will not
create a DCCloneConfig.xml file. To identify applications or services that run on a source domain
controller which have not been evaluated for cloning
Get-ADDCCloningExcludedApplicationList
Get-ADDCCloningExcludedApplicationList -GenerateXml
The clone domain controller will be located in the same site as the source domain controller
unless a different site is specified in the DCCloneConfig.xml file.
Note:
The Get-ADDCCloningExcludedApplicationListcmdlet searches the local domain controller for
programs and services in the installed programs database, the services control manager that are
not specified in the default and user defined inclusion list. The applications in the resulting list can
be added to the user defined exclusion list if they are determined to support cloning. If the
applications are not cloneable, they should be removed from the source domain controller before
the clone media is created. Any application that appears in cmdlet output and is not included in
the user defined inclusion list will force cloning to fail. The Get-
ADDCCloningExcludedApplicationListcmdlet needs to be run before the New-
ADDCCloneConfigFilecmdlet is used because if the New-ADDCCloneConfigFilecmdlet detects
an excluded application, it will not create a DCCloneConfig.xml file.
DCCloneConfig.xml is an XML configuration file that contains all of the settings the cloned DC will
take when it boots. This includes network settings, DNS, WINS, AD site name, new DC name and
more. This file can be generated in a few different ways.
The New-ADDCCloneConfigcmdlet in PowerShell
By hand with an XML editor
By editing an existing config file, again with an XML editor (Notepad is not an XML editor.)

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 73
http://www.braindump2go.com
You can populate the XML file.....doesn't need to be empty.....

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 74
http://www.braindump2go.com
http://technet.microsoft.com/en-us/library/hh831734.aspx
http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2012/09/10/new-features-in-active-
directory-domain-services-in-windows-server-2012-part-13-domain-controller-cloning.aspx

QUESTION 70
Hotspot Question
Your network contains an Active Directory domain named contoso.com.
You implement DirectAccess.
You need to view the properties of the DirectAccess connection.
Which connection properties should you view?
To answer, select the appropriate connection properties in the answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 75
http://www.braindump2go.com
Answer:

Explanation:
http://technet.microsoft.com/en-us/library/jj613767.aspx

QUESTION 71

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 76
http://www.braindump2go.com
Your network contains an Active Directory domain named contoso.com. All client computers run
Windows 8.1.
The network contains a shared folder named FinancialData that contains five files.
You need to ensure that the FinancialData folder and its contents are copied to all of the client
computers.
Which two Group Policy preferences should you configure?
(Each correct answer presents part of the solution. Choose two.)

A. Shortcuts
B. Network Shares
C. Environment
D. Folders
E. Files

Answer: DE
Explanation:
Folder preference items allow you to create, update, replace, and delete folders and their
contents. (To configure individual files rather than folders, see Files Extension. )
Before you create a Folder preference item, you should review the behavior of each type of action
possible with this extension.
File preference items allow you to copy, modify the attributes of, replace, and delete files.
(To configure folders rather than individual files, see Folders Extension. )
Before you create a File preference item, you should review the behavior of each type of action
possible with this extension.

QUESTION 72
Your network contains an Active Directory domain named contoso.com. The domain contains
three servers. The servers are configured as shown in the following table.

You need to ensure that end-to-end encryption is used between clients and Server2 when the
clients connect to the network by using DirectAccess.
Which two actions should you perform?
(Each correct answer presents part of the solution.
Choose two.)

A. From the Remote Access Management Console, reload the configuration.


B. Add Server2 to a security group in Active Directory.
C. Restart the IPSec Policy Agent service on Server2.
D. From the Remote Access Management Console, modify the Infrastructure Servers settings.
E. From the Remote Access Management Console, modify the Application Servers settings.

Answer: BE
Explanation:
When selecting application servers that require end-to-end encryption and authentication, it is
important to note that:
** The selected end-to-end application servers must be members of one or more AD DS security

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 77
http://www.braindump2go.com
groups.
* The selected end-to-end application servers must run Windows Server 2008 or later.
* The selected end-to-end application servers must be accessible via IPv6 (Native or ISATAP, not
NAT64).
* The selected end-to-end application servers can be used with smart cards for an additional level
of authorization.

QUESTION 73
Your network contains an Active Directory domain named contoso.com. Domain controllers run
either Windows Server 2003, Windows Server 2008 R2, or Windows Server 2012 R2.
A support technician accidentally deletes a user account named User1.
You need to use tombstone reanimation to restore the User1 account.
Which tool should you use?

A. Ntdsutil
B. Ldp
C. Esentutl
D. Active Directory Administrative Center

Answer: B
Explanation:
Use Ldp.exe to restore a single, deleted Active Directory object
This feature takes advantage of the fact that Active Directory keeps deleted objects in the
database for a period of time before physically removing them.
Use Ldp.exe to restore a single, deleted Active Directory object
The LPD.exe tool, included with Windows Server 2012, allows users to perform operations
against any LDAP-compatible directory, including Active Directory. LDP is used to view objects
stored in Active Directory along with their metadata, such as security descriptors and replication
metadata.
http://technet.microsoft.com/pt-pt/magazine/2007.09.tombstones(en-us).aspx

QUESTION 74
Your network contains an Active Directory domain named contoso.com.
You need to install and configure the Web Application Proxy role service.
What should you do?

A. Install the Active Directory Federation Services server role and the Remote Access server role on
different servers.
B. Install the Active Directory Federation Services server role and the Remote Access server role on
the same server.
C. Install the Web Server (IIS) server role and the Application Server server role on the same server.
D. Install the Web Server (IIS) server role and the Application Server server role on different servers.

Answer: A
Explanation:
AD FS is required to provide authentication and authorization services to Web Application Proxy
and to store the Web Application Proxy configuration.
Remote Access is the role containing the Web Application Proxy role service.
http://technet.microsoft.com/en-us/library/dn383650.aspx

QUESTION 75
Your network contains an Active Directory domain named contoso.com.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 78
http://www.braindump2go.com
The domain contains a domain controller named DC1.
You run ntdsutil {as shown in the exhibit}.
You need to ensure that you can access the contents of the mounted snapshot.
What should you do?

A. From a command prompt, run dsamain.exe -dbpath c:\$snap_201204131056_volumec$\windows\ntds


\ntds.dit - Idapport 33389.
B. From a command prompt, run dsamain.exe -dbpath c:\$snap_201204131056_volumec$\windows\ntds
\ntds.dit - Idapport 389.
C. From the snapshot context of ntdsutil, run activate instance "NTDS".
D. From the snapshot context of ntdsutil, run mount (79f94f82-5926-4f44-8af0-2f56d827a57d).

Answer: A
Explanation:
A. Custom port needs to be defined when mounting to allow access from ADUC
B. 389 is used as the standard ldap port
C. Run prior to mount and after the mount run dsamain Sets NTDS or a specific AD LDS instance
as the active instance.
D. mounts a specific snap shot as specified by guid, using the snapshot mounted you needs to
run dsamain to start an instance of AD
http://technet.microsoft.com/en-us/library/cc753609(v=ws.10).aspx

QUESTION 76
Your network contains an Active Directory domain named contoso.com. The domain contains a
read-only domain controller (RODC) named RODC1.
You create a global group named RODC_Admins.
You need to provide the members of RODC_Admins with the ability to manage the hardware and
the software on R0DC1. The solution must not provide RODC_Admins with the ability to manage
Active Directory objects.
What should you do?

A. From Active Directory Site and Services, configure the Security settings of the RODC1 server
object.
B. From Windows PowerShell, run the Set-ADAccountControlcmdlet.
C. From a command prompt, run the dsmgmt local roles command.
D. From Active Directory Users and Computers, configure the Member Of settings of the RODC1
account.

Answer: C
Explanation:
RODC: using the dsmgmt.exe utility to manage local administrators One of the benefits of of

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 79
http://www.braindump2go.com
RODC is that you can add local administrators who do not have full access to the domain
administration. This gives them the abiltiy to manage the server but not add or change active
directory objects unless those roles are delegated. Adding this type of user is done using the
dsmdmt.exe utility at the command prompt.

QUESTION 77
You have a server named Server1 that has the Web Server (IIS) server role installed.
You obtain a Web Server certificate.
You need to configure a website on Server1 to use Secure Sockets Layer (SSL).
To which store should you import the certificate?

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 80
http://www.braindump2go.com
Explanation:
http://technet.microsoft.com/en-us/library/cc740068(v=ws.10).aspx

QUESTION 78
Your network contains an Active Directory domain named contoso.com.
You create a user account named User1.
The properties of User1 are shown in the exhibit. (Click the Exhibit button.)
You plan to use the User1 account as a service account. The service will forward authentication
requests to other servers.
You need to ensure that you can view the Delegation tab from the properties of the User1
account.
What should you do first?

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 81
http://www.braindump2go.com
A. Modify the Security settings of User1.
B. Modify the user principal name (UPN) of User1.
C. Configure a Service Principal Name (SPN) for User1.
D. Configure the Name Mappings of User1.

Answer: C
Explanation:
If you cannot see the Delegation tab, do one or both of the following:
Register a Service Principal Name (SPN) for the user account with the Setspn utility in the
support tools on your CD. Delegation is only intended to be used by service accounts, which
should have registered SPNs, as opposed to a regular user account which typically does not
have SPNs.
Raise the functional level of your domain to Windows Server 2003.
For more information, see Related Topics.
http://technet.microsoft.com/en-us/library/cc739474(v=ws.10).aspx

QUESTION 79
Your network contains an Active Directory domain named contoso.com.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 82
http://www.braindump2go.com
All domain controllers run Windows Server 2012 R2. On all of the domain controllers, Windows is
installed in C:\Windows and the Active Directory database is located in D:\Windows\NTDS\. All of
the domain controllers have a third-party application installed. The operating system fails to
recognize that the application is compatible with domain controller cloning.
You verify with the application vendor that the application supports domain controller cloning.
You need to prepare a domain controller for cloning.
What should you do?

A. In D:\Windows\NTDS\, create an XML file named DCCloneConfig.xml and add the application
information to the file.
B. In D:\Windows\NTDS\, create an XML file named CustomDCCloneAllowList.xml and add the application
information to the file.
C. In the root of a USB flash drive, add the application information to an XML file named DefaultDCClone
AllowList.xml.
D. In D:\Windows\NTDS, create an XML file named DefaultDCCloneAllowList.xml and add the application
information to the file.

Answer: B
Explanation:
http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2012/09/10/new-features-in-active-
directory-domainservices-in-windows-server-2012-part-13-domain-controller-cloning.aspx
Place the CustomDCCloneAllowList.xml file in the same folder as the Active Directory database
(ntds.dit) on the source Domain Controller.

QUESTION 80
Your network contains an Active Directory domain named contoso.com. All domain controllers
run Windows Server 2012 R2. On all of the domain controllers, Windows is installed in
C:\Windows and the Active Directory database is located in D:\Windows\NTDS\. All of the domain
controllers have a third-party application installed. The operating system fails to recognize that
the application is compatible with domain controller cloning.
You verify with the application vendor that the application supports domain controller cloning.
You need to prepare a domain controller for cloning.
What should you do?

A. In the root of a USB flash drive, add the application information to an XML file named DefaultDCClone
AllowList.xml.
B. In C:\Windows\system32\sysprep\actionfiles\, add the application information to an XML file named
Specialize .xml.
C. In D:\Windows\NTDS\, create an XML file named CustomDCCloneAllowList.xml and add the application
information to the file.
D. In C:\Windows\system32\sysprep\actionfiles\add the application information to an XML file named
Respecialize .xml.

Answer: C
Explanation:
Place the CustomDCCloneAllowList.xml file in the same folder as the Active Directory database
(ntds.dit) on the source Domain Controller.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 83
http://www.braindump2go.com
http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2012/09/10/new-features-in-active-
directory-domain-services-in-windows-server-2012-part-13-domain-controller-cloning.aspx
http://www.thomasmaurer.ch/2012/08/windows-server-2012-hyper-v-how-to-clone-a-virtual-
domain-controller
http://technet.microsoft.com/en-us/library/hh831734.aspx

QUESTION 81
Hotspot Question
Your network contains an Active Directory domain named contoso.com.
The domain contains a server named Server1 that runs Windows Server 2012 R2.
Server1 has the File Server Resource Manager role service installed.
You need to configure Server1 to meet the following requirements:

- Ensure that old files in a folder named Folder1 are archived


automatically to a folder named Archive1.
- Ensure that all JPG files can always be saved to a local computer,
even when a file screen exists.

Which two nodes should you configure?


To answer, select the appropriate two nodes in the answer area.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 84
http://www.braindump2go.com
Explanation:
File Screens - Here you can set a "file screen exception for JPG's"
File Management Tasks - Set a new task to archive data

QUESTION 82
Your network contains an Active Directory domain named contoso.com. The domain contains six
domain controllers.

The network contains a server named Server1 that has the Hyper-V server role installed.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 85
http://www.braindump2go.com
DC6 is a virtual machine that is hosted on Server1.
You need to ensure that you can clone DC6.
Which FSMO role should you transfer to DC2?

A. Infrastructure Master
B. RID Master
C. Domain Naming Master
D. PDC emulator

Answer: D
Explanation:
D. The clone domain controller uses the security context of the source domain controller (the
domain controller whose copy it represents) to contact the Windows Server 2012 R2 Primary
Domain Controller (PDC) emulator operations master role holder (also known as flexible single
master operations, or FSMO). The PDC emulator must be running Windows Server 2012 R2, but
it does not have to be running on a hypervisor.
http://technet.microsoft.com/en-us/library/hh831734.aspx

QUESTION 83
Your network contains an Active Directory domain named contoso.com. The domain contains a
member server named Server1. Server1 runs Windows Server 2012 R2 and has the Hyper-V
server role installed. Server1 hosts 10 virtual machines. A virtual machine named VM1 runs
Windows Server 2012 R2 and hosts a processor-intensive application named Appl.
Users report that App1 responds more slowly than expected.
You need to monitor the processor usage on VM1 to identify whether changes must be made to
the hardware settings of VM1.
Which performance object should you monitor on Server1?

A. Processor
B. Hyper-V Hypervisor Virtual Processor
C. Hyper-V Hypervisor Root Virtual Processor
D. Process
E. Hyper-V Hypervisor Logical Processor

Answer: E
Explanation:
In the simplest way of thinking the virtual processor time is cycled across the available logical
processors in a round-robin type of fashion.
Thus all the processing power gets used over time, and technically nothing ever sits idle.
To accurately measure the processor utilization of a guest operating system, use the
“\Hyper-V Hypervisor Logical Processor(_Total)\% Total Run Time” performance monitor counter
on the Hyper-V host operating system.

QUESTION 84
You have a server named Server1 that runs Windows Server 2012 R2.
Server1 has the File Server Resource Manager role service installed.
Each time a user receives an access-denied message after attempting to access a folder on
Server1, an email notification is sent to a distribution list named DL1.
You create a folder named Folder1 on Server1, and then you configure custom NTFS
permissions for Folder1.
You need to ensure that when a user receives an access-denied message while attempting to
access Folder1, an email notification is sent to a distribution list named DL2.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 86
http://www.braindump2go.com
The solution must not prevent DL1 from receiving notifications about other access-denied
messages.
What should you do?

A. From Server Manager, run the New Share Wizard to create a share for Folder1 by selecting the
SMB Share - Advanced option.
B. From the File Server Resource Manager console, modify the Access-Denied Assistance settings.
C. From the File Server Resource Manager console, modify the Email Notifications settings.
D. From Server Manager, run the New Share Wizard to create a share for Folder1 by selecting the
SMB Share -Applications option.

Answer: C
Explanation:
When using the email model each of the file shares, you can determine whether access requests
to each file share will be received by the administrator, a distribution list that represents the file
share owners, or both.
The owner distribution list is configured by using the SMB Share - Advanced file share profile in
the New Share Wizard in Server Manager.
http://technet.microsoft.com/en-us/library/jj574182.aspx#BKMK_12

QUESTION 85
Hotspot Question
Your network contains an Active Directory domain named contoso.com. The domain contains
servers named Server1 and Server2. Both servers have the DFS Replication role service
installed.
You need to configure the DFS Replication environment to meet the following requirements:

- Increase the quota limit of the staging folder.


- Configure the staging folder cleanup process to provide the highest
amount of free space possible.

Which cmdlets should you use to meet each requirement?


To answer, select the appropriate options in the answer area.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 87
http://www.braindump2go.com
Explanation:
The DFS Replication uses staging folders for each replicated folder as caches for new and
changed files, which can be replicated from sending members to receiving members. These files
are under the local path of the replicated folder in the folder DfsrPrivate \ Staging stored.
When a file for two or more members shall be amended before the changes can be replicated,
"wins" the last updated file the conflict, and the files have "lost", are moved to the conflict folder
for deleted files. The files that are lost, in the folder DfsrPrivate \ ConflictandDeleted stored
under the local path of the replicated folder on the member that resolves the conflict.
The conflict folder for deleted files will also be used to store files that are deleted from replicated
folders. By default, the quota size of each staging folder 4,096 MB, and the quota size of each
Conflict and Deleted folder corresponds to 660 MB. The size of each folder on a member is
cumulative per volume; So when several replicated folders are available on a member, a plurality
of staging folder and Conflict folder for deleted files are created by the DFS Replication, each has
its own quota.
The following subsections provide information about how to edit the quota of the staging folder
and Conflict and Deleted folder . as well as to optimize the size of staging folders Optimize the
size of staging folders Although you can adjust the size of each staging folder, you have to
consider the following factors:

QUESTION 86
Your network contains an Active Directory domain named contoso.com.
You need to create a AD Snapshot.
Which four actions should you perform? To answer, move the four appropriate actions from the
list of actions to the answer area and arrange them in the correct order.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 88
http://www.braindump2go.com
Answer:

Explanation:
With Windows Server 2008 a new feature was introduced that allowed administrators snapshots
(snapshots) to create the Active Directory database for offline use. Consequently, you have the
opportunity to mount a backup of the Active Directory database on a selectable TCP port and to
sift through Active with an LDAP Reader or the console Directory Users and Computers (ADUC).
The ways of accessing the information from the Snapshot only include reading .
The possibilities are quite varied. For example, if the properties of objects have changed and you
need to find and restore the original state, you can use an older backup of Active Directory mount
database and transfer the data either manually or the standard tools CSVDE and LDIFDE use to
export the information and subsequently in to import the production database

QUESTION 87
Your network contains an Active Directory forest named contoso.com. All domain controllers run
Windows Server 2008 R2. The schema is upgraded to Windows Server 2012 R2.

Server 1 and Server2 host a load-balanced application pool named AppPool1.


You need to ensure that AppPool1 uses a group Manged Service Account as its identity.

Which 3 actions should you perform?

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 89
http://www.braindump2go.com
Answer:

Explanation:
http://technet.microsoft.com/en-us/library/jj128431.aspx

QUESTION 88
Your network contains an Active Directory forest named contoso.com. The forest contains a
single domain. All domain controllers run Windows Server 2012 R2. The domain contains two
domain controllers. The domain controllers are configured as shown in the following table.

Active Directory Recycle Bin is enabled.


You discover that a support technician accidentally removed 100 users from an Active Directory
group named Group1 an hour ago.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 90
http://www.braindump2go.com
What should you do?

A. Perform a non-authoritative restore.


B. Modify the is Recycled attribute of Group1.
C. Perform an authoritative restore.
D. Recover the items by using Active Directory Recycle Bin.

Answer: C
Explanation:
“You can use three methods to restore deleted user accounts, computer accounts, and security
groups. These objects are known collectively as security principals. In all three methods, you
authoritatively restore the deleted objects, and then you restore group membership information
for the deleted security principals. When you restore a deleted object, you must restore the
former values of the member and memberOf attributes in the affected security principal. The
three methods are:
Method 1: Restore the deleted user accounts, and then add the restored users back to their
groups by using the Ntdsutil.exe command-line tool (Microsoft Windows Server 2003 with Service
Pack 1 [SP1] only)
Method 2: Restore the deleted user accounts, and then add the restored users back to their
groups
Method 3: Authoritatively restore the deleted user accounts and the deleted users’ security
groups two times”
http://support.microsoft.com/kb/840001

QUESTION 89
Your network contains an Active Directory domain named contoso.com. The domain contains a
read-only domain controller (RODC) named RODC1.
You create a global group named RODC_Admins.
You need to provide the members of RODC_Admins with the ability to manage the hardware and
the software on RODC1.
The solution must not provide RODC_Admins with the ability to manage Active Directory objects.
What should you do?

A. From Active Directory Users and Computers , configure the Managed By settings of the RODC1 account.
B. From Active Directory Sites and Services, run the Delegation of Control Wizard
C. From Active Directory Users and Computers, run the Delegation of Control Wizard.
D. From a command prompt, run the dsadd computer command.

Answer: A
Explanation:
Note:
* You can delegate local administrative permissions for an RODC to any domain user without
granting that user any user rights for the domain or other domain controllers. This permits a local
branch user to log on to an RODC and perform maintenance work on the server, such as
upgrading a driver. However, the branch user cannot log on to any other domain controller or
perform any other administrative task in the domain. In this way, the branch user can be
delegated the ability to effectively manage the RODC in the branch office without compromising
the security of the rest of the domain.
Incorrect:
Not C: The Set-ADAccountControl cmdlet modifies the user account control (UAC) values for an
Active Directory user or computer account. UAC values are represented by cmdlet parameters.
For example, set the PasswordExpired parameter to change whether an account is expired and
to modify the ADS_UF_PASSWORD_EXPIRED UAC value.
Not D: Managed by Tab in Windows Server computer account grantslocal admin access to that

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 91
http://www.braindump2go.com
RODC. This means he getsControl Access for ResetPassword, and WriteProperty for
UserLogonInformation and AccountRestrictions propsets. These allow him to attach an RODC to
precreated RODC account, or to perform RODC demotion (with /retainDcMetadata flag). He is
also dropped into the local builtin admins group on that RODC

QUESTION 90
Your network contains an Active Directory domain named contoso.com. All domain controllers
run Windows Server 2012 R2. In a remote site, a support technician installs a server named
DC10 that runs Windows Server 2012 R2. DC10 is currently a member of a workgroup.
You plan to promote DC10 to a read-only domain controller (RODC).
You need to ensure that a user named Contoso/User1 can promote DC10 to a RODC in the
contoso.com domain. The solution must minimize the number of permissions assigned to User1.
What should you do?

A. Join DC10 to the domain. Modify the properties of the DC10 computer account
B. From Active Directory Administrative Center, pre-create an RODC computer account.
C. Join DC10 to the domain. Run dsmod and specify the /server switch
D. From Active Directory Administrative Center, modify the security settings of the Domain Controllers
organizational unit (OU).

Answer: B
Explanation:
A staged read only domain controller (RODC) installation works in two discrete phases:
1. Staging an unoccupied computer account
2. Attaching an RODC to that account during promotion
Reference: Install a Windows Server 2012 R2 Active Directory Read-Only Domain Controller
(RODC)

QUESTION 91
Hotspot Question
Your network contains an Active Directory forest named contoso.com. The forest contains a
single domain.
All domain controllers run Windows Server 2012 R2 and are configured as DNS servers.
All DNS zones are Active Directory-integrated. Active Directory Recycle Bin is enabled.
You need to modify the amount of time deleted objects are retained in the Active Directory
Recycle Bin.
Which naming context should you use?
To answer, select the appropriate naming context in the answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 92
http://www.braindump2go.com
Answer:

Explanation:
http://technet.microsoft.com/en-us/library/dd392260%28v=ws.10%29.aspx

QUESTION 92
Your network contains an Active Directory domain named contoso.com. The domain contains six
domain controllers. The domain controllers are configured as shown in the following table.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 93
http://www.braindump2go.com
The network contains a server named Server1 that has the Hyper-V server role installed. DC6 is
a virtual machine that is hosted on Server1.
You need to ensure that you can clone DC6.
What should you do?

A. Transfer the schema master to DC6.


B. Transfer the schema master to DC4.
C. Transfer the PDC emulator to DC2.
D. Transfer the PDC emulator to DC5.

Answer: C
Explanation:
A deployed Windows Server 2012 domain controller (virtualized or physical) that hosts the PDC
emulator role (DC1). To verify whether the PDC emulator role is hosted on a Windows Server
2012 domain controller, run the following Windows PowerShell command:
Get-ADComputer (Get-ADDomainController - Discover - Service "PrimaryDC"). Name - Property
operatingsystemversion | fl
http://technet.microsoft.com/en-us/library/hh831734.aspx#steps_deploy_vdc

QUESTION 93
Hotspot Question
Your network contains an Active Directory domain named contoso.com. All servers run Windows
Server 2012 R2.
You need to audit successful and failed attempts to read data from USB drives on the servers.
Which two objects should you configure?
To answer, select the appropriate two objects in the answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 94
http://www.braindump2go.com
Answer:

Explanation:
The figure shows the sub-category are object access the advanced audit policy shown. For the
logging of removable media error events the setting "Audit Handle Manipulation" also be
activated.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 95
http://www.braindump2go.com
QUESTION 94
Hotspot Question
You have a server named Server4 that runs Windows Server 2012 R2.
Server4 has the Windows Deployment Services server role installed.
Server4 is configured as shown in the exhibit. (Click the Exhibit button.)

To answer, complete each statement according to the information presented in the exhibit.
Each correct selection is worth one point.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 96
http://www.braindump2go.com
Explanation:
With a 64-bit client computer, both 32-bit and 64-bit boot images may be used. With a 32-bit client
computers 32 bit boot images can be started.
The order will be displayed in the installation images and the default boot image can be controlled
via the priority settings of images. The lower the value, the higher the priority. If available, a boot
image is used, that the architecture of the client corresponds.

QUESTION 95
You manage a server that runs Windows Server 2012 R2. The server has the Windows
Deployment Services server role installed.
You have a desktop computer that has the following configuration:

- Computer name: Computer1


- Operating system: Windows 8
- MAC address: 20-CF-30-65-D0-87
- GUID: 979708BF-C04B-4525-9FE0-C4150BB6C618

You need to configure a pre-staged device for Computer1 in the Windows Deployment Services
console.
Which two values should you assign to the device ID?
(Each correct answer presents a complete solution. Choose two.)

A. 20CF3065D08700000000000000000000
B. 979708BFC04B45259FE0C4150BB6C618
C. 979708BF-C04B-452S-9FE0-C4150BB6C618
D. 0000000000000000000020CF306SD087
E. 00000000-0000-0000-0000-C41S0BB6C618

Answer: CD
Explanation:
* To add or remove pre-staged client to/from AD DS, specify the name of the computer or the
device ID, which is a GUID, media access control (MAC) address, or Dynamic Host Configuration
Protocol (DHCP) identifier associated with the computer.
* Example: Remove a device by using its ID from a specified domain This command removes the
pre-staged device that has the specified ID. The cmdlet searches the domain named
TSQA.Contoso.com for the device.
Windows PowerShell
PS C:\> Remove-WdsClient -DeviceID "5a7a1def-2e1f-4a7b-a792-ae5275b6ef92" -Domain -
DomainName "TSQA.Contoso.com"

QUESTION 96
Hotspot Question
Your company has four offices. The offices are located in Montreal, Seattle, Sydney, and New
York.
The network contains an Active Directory domain named contoso.com. The domain contains a
server named Server2 that runs Windows Server 2012 R2. Server2 has the DHCP Server server
role installed.
All client computers obtain their IPv4 and IPv6 addresses from DHCP.
You need to ensure that Network Access Protection (NAP) enforcement for DHCP applies to all
of the client computers except for the client computers in the New York office.
Which two nodes should you configure?
To answer, select the appropriate two nodes in the answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 97
http://www.braindump2go.com
Answer:

Explanation:
The DHCP enforcement for the Network Access Protection is only possible for the IPv4 protocol.
We can enable the Network Access Protection in the properties of IPv4 for all areas and then in
the field of [192.168.0.0] contoso.com - disable New York.

QUESTION 97
Your network contains an Active Directory domain named adatum.com.
A network administrator creates a Group Policy central store.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 98
http://www.braindump2go.com
After the central store is created, you discover that when you create new Group Policy objects
(GPOs), the GPOs do not contain any Administrative Templates.
You need to ensure that the Administrative Templates appear in new GPOs.
What should you do?

A. Add your user account to the Group Policy Creator Owners group.
B. Configure all domain controllers as global catalog servers.
C. Copy files from %Windir%\Policydefimtions to the central store.
D. Modify the Delegation settings of the new GPOs.

Answer: C
Explanation:
To take advantage of the benefits of . admx files, you must create a Central Store in the SYSVOL
folder on a domain controller. The Central Store is a file location that is checked by the Group
Policy tools. The Group Policy tools use any . admx files that are in the Central Store. The files
that are in the Central Store are later replicated to all domain controllers in the domain.

QUESTION 98
Your network contains two Active Directory forests named contoso.com and dev.contoso.com.
The contoso.com forest contains a domain controller named DC1.
The dev.contoso.com forest contains a domain controller named DC2.
Each domain contains an organizational unit (OU) named OU1.
Dev.contoso.com has a Group Policy object (GPO) named GPO1.
GPO1 contains 200 settings, including several settings that have network paths.
GPO1 is linked to OU1.
You need to copy GPO1 from dev.contoso.com to contoso.com.
What should you do first on DC2?

A. From the Group Policy Management console, right-click GPO1 and select Copy.
B. Run the mtedit.exe command and specify the /Domaintcontoso.com /DC:DC 1 parameter.
C. Run the Save-NetGpocmdlet.
D. Run the Backup-Gpocmdlet.

Answer: D
Explanation:
With the cmdlet Backup-GPO can in the domain dev.certbase.de a backup be created by GPO1.
Subsequently, the policy settings in the certbase.de domain can import GPO be imported into a
new GPO. The direct restore a backup of a GPO to another forest is not possible. Copying a
GPO via the functions "Copy" and Paste "the Group Policy Management is also not over the
border of a forest possible. The cmdlet save NetGPO saving changes to its cached local GPO
and Mtedit.exe starts the migration table editor.

QUESTION 99
Your network contains four Network Policy Server (NPS) servers named Server1, Server2,
Server 3, and Server4.
Server1 is configured as a RADIUS proxy that forwards connection requests to a remote RADIUS
server group named Group1.
You need to ensure that Server2 and Server3 receive connection requests.
Server4 must only receive connection requests if both Server2 and Server3 are unavailable.
How should you configure Group1?

A. Change the Weight of Server4 to 10.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 99
http://www.braindump2go.com
B. Change the Weight of Server2 and Server3 to 10.
C. Change the Priority of Server2 and Server3 to 10.
D. Change the Priority of Server4 to 10.

Answer: D
Explanation:
During the NPS proxy configuration process, you can create remote RADIUS server groups and
then add RADIUS servers to each group. To configure load balancing, you must have more than
one RADIUS server per remote RADIUS server group. While adding group members, or after
creating a RADIUS server as a group member, you can access the Add RADIUS server dialog
box to configure the following items on the Load Balancing tab:
Priority. Priority specifies the order of importance of the RADIUS server to the NPS proxy server.
Priority level must be assigned a value that is an integer, such as 1, 2, or 3. The lower the
number, the higher priority the NPS proxy gives to the RADIUS server.
For example, if the RADIUS server is assigned the highest priority of 1, the NPS proxy sends
connection requests to the RADIUS server first; if servers with priority 1 are not available, NPS
then sends connection requests to RADIUS servers with priority 2, and so on. You can assign the
same priority to multiple RADIUS servers, and then use the Weight setting to load balance
between them.
Weight. NPS uses this Weight setting to determine how many connection requests to send to
each group member when the group members have the same priority level. Weight setting must
be assigned a value between 1 and 100, and the value represents a percentage of 100 percent.
For example, if the remote RADIUS server group contains two members that both have a priority
level of 1 and a weight rating of 50, the NPS proxy forwards 50 percent of the connection
requests to each RADIUS server.
Advanced settings. These failover settingsprovide a way for NPS to determine whether the
remote RADIUS server is unavailable. If NPS determines that a RADIUS server is unavailable, it
can start sending connection requests to other group members. With these settings you can
configure the number of seconds that the NPS proxy waits for a response from the RADIUS
server before it considers the request dropped; the maximum number of dropped requests before
the NPS proxy identifies the RADIUS server as unavailable; and the number of seconds that can
elapse between requests before the NPS proxy identifies the RADIUS server as unavailable.
The default priority is 1 and can be changed from 1 to 65535. So changing server 2 and 3 to
priority 10 is not the way to go.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 100
http://www.braindump2go.com
http://technet.microsoft.com/en-us/library/dd197433(WS.10).aspx

QUESTION 100
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs Windows Server 2012 R2. Server1 has the DHCP Server server
role installed. The network contains 400 client computers that run Windows 8. All of the client
computers are joined to the domain and are configured DHCP clients.
You install a new server named Server2 that runs Windows Server 2012 R2.
On Server2, you install the Network Policy Server role service and you configure Network Access
Protection (NAP) to use the DHCP enforcement method.
You need to ensure that Server1 only provides a valid default gateway to computers that pass the
system health validation.
Which two actions should you perform?
(Each correct answer presents part of the solution. Choose two.)

A. From the DHCP console, configure the 016 Swap Server option.
B. From the DHCP console, create a new policy.
C. From the NAP Client Configuration console, enable the DHCP Quarantine Enforcement Client.
D. From the DHCP console, enable NAP on all scopes.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 101
http://www.braindump2go.com
E. From Server Manager, install the Network Policy Server role service.

Answer: DE
Explanation:
D: The administrator must define the following settings on the NAP DHCP server:
/ (D) NAP-enabled scopes: In order to use a DHCP scope with NAP, you must enable it
specifically for NAP in scope properties under NAP settings.
/ Default NAP class: You must configure any required scope options for computers that are
noncompliant with health requirements. A default gateway is not provided to noncompliant
computers regardless of whether the 003 Router option is configured here. / Remote RADIUS
server groups: If connection requests are forwarded from the DHCP server to a NAP health policy
server on another computer, you must configure the NPS service on the NAP DHCP server to
forward connection requests to the NAP health policy server. This setting is not required if the
NAP DHCP server is also the NAP health policy server. / Default user class: You must configure
any required scope options for computers that are compliant with health requirements.
: The NAP DHCP server is a server running Windows Server 2008 or Windows Server 2008 R2
(or Windows 2012) with the DHCP server role installed and running. Additionally, if this server is
not also the NAP health policy server, it must have the NPS role service installed (E), running,
and configured to forward connection requests to the NAP health policy server. The NAP DHCP
server restricts noncompliant client access by providing a limited IP address configuration to
computers that do not meet health requirements. A limited access configuration has a subnet
mask of 255.255.255.255 and no default gateway. Static host routes are provisioned to provide
access to the DHCP server and any servers that have been added to remediation server groups
on the NAP health policy server.
Reference: DHCP Enforcement Configuration

QUESTION 101
Your network is configured as shown in the exhibit. (Click the Exhibit button.)

Server1 regularly accesses Server2.


You discover that all of the connections from Server1 to Server2 are routed through Router1.
You need to optimize the connection path from Server1 to Server2.
Which route command should you run on Server1?

A. Route add -p 10.10.10.0 MASK 255.255.255.0 10.10.10.1 METRIC 50


B. Route add -p 10.10.10.0 MASK 255.255.255.0 172.23.16.2 METRIC 100
C. Route add -p 10.10.10.12 MASK 255.255.255.0 10.10.10.1 METRIC 100
D. Route add -p 10.10.10.12 MASK 255.255.255.0 10.10.10.0 METRIC 50

Answer: B
Explanation:
destination - specifies either an IP address or host name for the network or host.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 102
http://www.braindump2go.com
subnetmask - specifies a subnet mask to be associated with this route entry. If subnetmask is not
specified, 255.255.255.255 is used.
gateway - specifies either an IP address or host name for the gateway or router to use when
forwarding.
costmetric - assigns an integer cost metric (ranging from 1 through 9,999) to be used in
calculating the fastest, most reliable, and/or least expensive routes.
If costmetric is not specified, 1 is used.
interface - specifies the interface to be used for the route that uses the interface number. If an
interface is not specified, the interface to be used for the route is determined from the gateway IP
address.
http://support.microsoft.com/kb/299540/en-us
http://technet.microsoft.com/en-us/library/cc757323%28v=ws.10%29.aspx

QUESTION 102
Your network contains an Active Directory domain named adatum.com. The domain contains a
server named Server1 that runs Windows Server 2012 R2. Server1 is configured as a Network
Policy Server (NPS) server and as a DHCP server.
You need to ensure that only computers that send a statement of health are checked for Network
Access Protection (NAP) health requirements.
Which two settings should you configure?
(Each correct answer presents part of the solution. Choose two.)

A. The Called Station ID constraints


B. The MS-Service Class conditions
C. The Health Policies conditions
D. The NAS Port Type constraints
E. The NAP-Capable Computers conditions

Answer: CE
Explanation:
A. Used to designate the phone number of the network access server. This attribute is a
character string. You can use pattern-matching syntax to specify area codes.
B. Restricts the policy to clients that have received an IP address from a DHCP scope that
matches the specified DHCP profile name. This condition is used only when you are deploying
NAP with the DHCP enforcement method. To use the MS-Service Class attribute, in Specify the
profile name that identifies your DHCP scope, type the name of an existing DHCP profile.
C. The Health Policies condition restricts the policy to clients that meet the health criteria in the
policy that you specify.
D. Allows you to specify the type of media used by the client computer to connect to the network.
E. The NAP-capable Computers condition restricts the policy to either clients that are capable of
participating in NAP or clients that are not capable of participating in NAP. This capability is
determined by whether the client sends a statement of health (SoH) to NPS.
http://technet.microsoft.com/en-us/library/cc753603.aspx
http://technet.microsoft.com/en-us/library/cc731220(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc731560.aspx

QUESTION 103
Your network contains two Active Directory forests named adatum.com and contoso.com. The
network contains three servers. The servers are configured as shown in the following table.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 103
http://www.braindump2go.com
You need to ensure that connection requests from adatum.com users are forwarded to Server2
and connection requests from contoso.com users are forwarded to Server3.
Which two should you configure in the connection request policies on Server1?
(Each correct answer presents part of the solution. Choose two.)

A. The Authentication settings


B. The User Name condition
C. The Standard RADIUS Attributes settings
D. The Identity Type condition
E. The Location Groups condition

Answer: AB
Explanation:
A: A connection request policy profile is a set of properties that are applied to an incoming
RADIUS message. A connection request policy profile consists of the following groups of
properties:
/ Authentication
You can set the following authentication options that are used for RADIUS Access-Request
messages:
// Authenticate requests on this server.
// Forward requests to another RADIUS server in a remote RADIUS server group. // Accept the
connection attempt without performing authentication or authorization.
/ Accounting
/ Attribute manipulation
/ Advanced
B: * A connection request policy is a named rule that consists of the following elements:
/ Conditions
/ Profile
* The User-Name RADIUS attribute is a character string that typically contains a user account
location and a user account name. The user account location is also called the realm or realm
name, and is synonymous with the concept of domain, including DNS domains, Active Directory
domains, and Windows NT 4.0 domains
Note:
* NPS as a RADIUS proxy
The default connection request policy is deleted, and two new connection request policies are
created to forward requests to two different domains. In this example, NPS is configured as a
RADIUS proxy. NPS does not process any connection requests on the local server. Instead, it
forwards connection requests to NPS or other RADIUS servers that are configured as members
of remote RADIUS server groups.

QUESTION 104

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 104
http://www.braindump2go.com
Your network contains an Active Directory domain named contoso.com. All servers run Windows
Server 2012 R2.
The domain contains a server named Server1 that has the Network Policy Server server role and
the Remote Access server role installed. The domain contains a server named Server2 that is
configured as a RADIUS server.
Server1 provides VPN access to external users.
You need to ensure that all of the VPN connections to Server1 are logged to the RADIUS server
on Server2.
What should you run?

A. Add-RemoteAccessRadius -ServerNameServer1 -AccountingOnOffMsg Enabled - SharedSecret


"Secret" -Purpose Accounting
B. Set-RemoteAccessAccounting -AccountingOnOffMsg Enabled -AccountingOnOffMsg Enabled
C. Add-RemoteAccessRadius -ServerName Server2 -AccountingOnOffMsg Enabled - SharedSecret
"Secret" -Purpose Accounting
D. Set-RemoteAccessAccounting -EnableAccountingType Inbox -AccountingOnOffMsg Enabled

Answer: C
Explanation:
Add-RemoteAccessRadius
Adds a new external RADIUS server for VPN authentication, accounting for DirectAccess (DA)
and VPN, or one-time password (OTP) authentication for DA.
AccountingOnOffMsg<String>
Indicates the enabled state for sending of accounting on or off messages.
The acceptable values for this parameter are:
Enabled.
Disabled. This is the default value.
This parameter is applicable only when the RADIUS server is being added for Remote Access
accounting.

QUESTION 105
Hotspot Question
Your network contains an Active Directory domain named contoso.com. The domain contains two
servers named Server1 and Server2. Server1 has the Network Policy Server server role installed.
Server2 has the DHCP Server server role installed. Both servers run Windows Server 2012 R2.
You are configuring Network Access Protection (NAP) to use DHCP enforcement.
You configure a DHCP scope as shown in the exhibit. (Click the Exhibit button.)

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 105
http://www.braindump2go.com
You need to ensure that non-compliant NAP clients receive different DHCP options than
compliant NAP clients.
What should you configure on each server?
To answer, select the appropriate options for each server in the answer area.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 106
http://www.braindump2go.com
Explanation:
The MS-Service Class condition restricts the policy to clients that have received an IP address
from a DHCP scope that matches the specified DHCP profile name. This condition is used only
when you are deploying NAP with the DHCP enforcement method.
Server1: MS-Service class
Server options are standard for all scopes. Scope options override server options.
Server2: Scope options

QUESTION 106
Your network contains a Network Policy Server (NPS) server named Server1.
The network contains a server named SQL1 that has Microsoft SQL Server 2008 R2 installed.
All servers run Windows Server 2012 R2.
You configure NPS on Server1 to log c.
You need to ensure that the accounting data is captured if SQL1 fails.
The solution must minimize cost.
What should you do?

A. Implement Failover Clustering.


B. Implement database mirroring.
C. Run the Accounting Configuration Wizard.
D. Modify the SQL Server Logging properties.

Answer: C
Explanation:
In Windows Server 2008 R2, an accounting configuration wizard is added to the
Accounting node in the NPS console. By using the Accounting Configuration wizard, you can
configure the following four accounting settings:
SQL logging only. By using this setting, you can configure a data link to a SQL Server that allows
NPS to connect to and send accounting data to the SQL server.
In addition, the wizard can configure the database on the SQL Server to ensure that the database
is compatible with NPS SQL server logging.
Text logging only. By using this setting, you can configure NPS to log accounting data to a text
file.
Parallel logging. By using this setting, you can configure the SQL Server data link and database.
You can also configure text file logging so that NPS logs simultaneously to the text file and the

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 107
http://www.braindump2go.com
SQL Server database.
SQL logging with backup. By using this setting, you can configure the SQL Server data link and
database. In addition, you can configure text file logging that NPS uses if SQL Server logging
fails.

QUESTION 107
Your network contains an Active Directory domain named contoso.com. All servers run Windows
Server 2012 R2. The domain contains two servers.
The servers are configured as shown in the following table.

All client computers run Windows 8 Enterprise.


You plan to deploy Network Access Protection (NAP) by using IPSec enforcement. A Group
Policy object (GPO) named GPO1 is configured to deploy a trusted server group to all of the
client computers.
You need to ensure that the client computers can discover HRA servers automatically.
Which three actions should you perform?
(Each correct answer presents part of the solution. Choose three.)

A. On DC1, create a service location (SRV) record.


B. On Server2, configure the EnableDiscovery registry key.
C. On all of the client computers, configure the EnableDiscovery registry key.
D. In a GPO, modify the Request Policy setting for the NAP Client Configuration.
E. On DC1, create an alias (CNAME) record.

Answer: ACD
Explanation:
Requirements for HRA automatic discovery
The following requirements must be met in order to configure trusted server groups on NAP client
computers using HRA automatic discovery:
Client computers must be running Windows Vista?with Service Pack 1 (SP1) or Windows XP with
Service Pack 3 (SP3).
The HRA server must be configured with a Secure Sockets Layer (SSL) certificate. The
EnableDiscovery registry key must be configured on NAP client computers.
DNS SRV records must be configured.
The trusted server group configuration in either local policy or Group Policy must be cleared.
http://technet.microsoft.com/en-us/library/dd296901.aspx

QUESTION 108
Your network contains an Active Directory domain named contoso.com. The domain contains a

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 108
http://www.braindump2go.com
server named Server1 that runs Windows Server 2012 R2. Server1 has the Network Policy
Server role service installed.
You plan to configure Server1 as a Network Access Protection (NAP) health policy server for
VPN enforcement by using the Configure NAP wizard.
You need to ensure that you can configure the VPN enforcement method on Server1
successfully.

What should you install on Server1 before you run the Configure NAP wizard?

A. The Host Credential Authorization Protocol (HCAP)


B. A system health validator (SHV)
C. The Remote Access server role
D. A Computer certificate

Answer: D
Explanation:
A. Host Credential Authorization Protocol (HCAP) allows you to integrate your Microsoft Network
Access Protection (NAP) solution with Microsoft Network Admission Control
B. System health validators (SHVs) define configuration requirements for NAP client computers.
C.
D. The NAP health policy server requires a computer certificate to perform PEAP-based user or
computer authentication. After this certificate is acquired, a connection to AD CS is not required
for as long as the certificate is valid.
http://technet.microsoft.com/en-us/library/cc732681.aspx
http://technet.microsoft.com/en-us/library/dd125396(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/hh831416.aspx
http://technet.microsoft.com/en-us/library/dd125301(v=ws.10).aspx

QUESTION 109
You deploy two servers named Server1 and Server2.
You install Network Policy Server (NPS) on both servers. On Server1, you configure the following
NPS settings:

- RADIUS Clients
- Network Policies
- Connection Request Policies
- SQL Server Logging Properties

You export the NPS configurations to a file and import the file to Server2.
You need to ensure that the NPS configurations on Server2 are the same as the NPS
configurations on Server1.
Which settings should you manually configure on Server2?

A. SQL Server Logging Properties


B. Connection Request Policies
C. RADIUS Clients
D. Network Policies

Answer: A
Explanation:
A. If SQL Server logging is configured on the source NPS server, SQL Server logging settings are
not exported to the XML file. After you import the file on another NPS server, you must manually
configure SQL Server logging.
B. Connection request policies are sets of conditions and settings that allow network

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 109
http://www.braindump2go.com
administrators to designate which Remote Authentication Dial-In User Service (RADIUS) servers
perform the authentication and authorization of connection requests that the server running
Network Policy Server (NPS) receives from RADIUS clients. Connection request policies can be
configured to designate which RADIUS servers are used for RADIUS accounting.
C. A network access server (NAS) is a device that provides some level of access to a larger
network. A NAS using a RADIUS infrastructure is also a RADIUS client, sending connection
requests and accounting messages to a RADIUS server for authentication, authorization, and
accounting.
D. Network policies are sets of conditions, constraints, and settings that allow you to designate
who is authorized to connect to the network and the circumstances under which they can or
cannot connect.
http://technet.microsoft.com/en-us/library/cc732059(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc753603.aspx
http://technet.microsoft.com/en-us/library/cc754033.aspx
http://technet.microsoft.com/en-us/library/cc754107(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc754123.aspx

QUESTION 110
You have a server named Server1 that has the Network Policy and Access Services server role
installed.
You plan to configure Network Policy Server (NPS) on Server1 to use certificate-based
authentication for VPN connections.
You obtain a certificate for NPS.
You need to ensure that NPS can perform certificate-based authentication.
To which store should you import the certificate? To answer, select the appropriate store in the
answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 110
http://www.braindump2go.com
Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 111
http://www.braindump2go.com
Explanation:
http://technet.microsoft.com/en-us/library/dd314152(v=ws.10).aspx
http://blog.instruosolutions.com/2012/10/10/configuring-microsoft-nps-server-2008-for-wireless-
clientauthentication-ms-peap/

QUESTION 111
Your network contains a RADIUS server named Server1.
You install a new server named Server2 that runs Windows Server 2012 R2 and has Network
Policy Server (NPS) installed.
You need to ensure that all accounting requests for Server2 are forwarded to Server1.
On Server2, you create a new remote RADIUS server group named Group1 that contains
Server1.
What should you configure next on Server2?
To answer, select the appropriate node in the answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 112
http://www.braindump2go.com
Answer:

Explanation:
Connection request policies are sets of conditions and settings that allow network administrators
to designate which Remote Authentication Dial-In User Service (RADIUS) servers perform the
authentication and authorization of connection requests that the server running Network Policy
Server (NPS) receives from RADIUS clients. Connection request policies can be configured to
designate which RADIUS servers are used for RADIUS accounting.
http://technet.microsoft.com/en-us/library/cc753603.aspx

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 113
http://www.braindump2go.com
QUESTION 112
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1. Server1 has the DHCP Server server role and the Network Policy Server
role service installed. Server1 contains three non-overlapping scopes named Scope1, Scope2,
and Scope3. Server1 currently provides the same Network Access Protection (NAP) settings to
the three scopes.
You modify the settings of Scope1 as shown in the exhibit. (Click the Exhibit button.)
You need to configure Server1 to provide unique NAP enforcement settings to the NAP non-
compliant DHCP clients from Scope1.
What should you create?

A. A network policy that has the MS-Service Class condition


B. A network policy that has the Identity Type condition
C. A connection request policy that has the Identity Type condition
D. A connection request policy that has the Service Type condition

Answer: A
Explanation:
Restricts the policy to clients that have received an IP address from a DHCP scope that matches
the specified DHCP profile name. This condition is used only when you are deploying NAP with
the DHCP enforcement method. To use the MS-Service Class attribute, in Specify the profile
name that identifies your DHCP scope, type the name of an existing DHCP profile.
http://technet.microsoft.com/en-us/library/cc731220(v=ws.10).aspx

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 114
http://www.braindump2go.com
QUESTION 113
You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the Remote
Access server role installed.
You have a client named Client1 that is configured as an 802.1X supplicant.
You need to configure Server1 to handle authentication requests from Client1. The solution must
minimize the number of authentication methods enabled on Server1.
Which authentication method should you enable?
To answer, select the appropriate authentication method in the answer area.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 115
http://www.braindump2go.com
Explanation:
Microsoft Windows uses EAP to authenticate network access for Point-to-Point Protocol (PPP)
connections (dial-up and virtual private network) and for IEEE 802.1X-based network access to
authenticating Ethernet switches and wireless access points (APs).
http://technet.microsoft.com/en-us/library/bb457039.aspx

QUESTION 114
Your network contains an Active Directory domain named contoso.com. The domain contains a
RADIUS server named Server1 that runs Windows Server 2012 R2.
You add a VPN server named Server2 to the network. On Server1, you create several network
policies.
You need to configure Server1 to accept authentication requests from Server2.
Which tool should you use on Server1?

A. Connection Manager Administration Kit (CMAK).


B. Routing and Remote Access
C. Network Policy Server (NPS)
D. Set-RemoteAccessRadius

Answer: C
Explanation:
Forward requests to the following remote RADIUS server group . By using this setting, NPS
forwards connection requests to the remote RADIUS server group that you specify. If the NPS
server receives a valid Access-Accept message that corresponds to the Access-Request
message, the connection attempt is considered authenticated and authorized. In this case, the
NPS server acts as a RADIUS proxy.
http://technet.microsoft.com/en-us/library/cc753603.aspx
http://www.youtube.com/watch?v=0_1GOBTL4FE

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 116
http://www.braindump2go.com
QUESTION 115
Hotspot Question
Your network contains an Active Directory domain named contoso.com.
The domain contains the users shown in the following table.

You have a Network Policy Server (NPS) server that has the network policies shown in the
following table.

User1, User2, and User3 plan to connect to the network by using a VPN.
You need to identify which network policy will apply to each user.
What should you identify?
To answer, select the appropriate policy for each user in the answer area.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 117
http://www.braindump2go.com
QUESTION 116
Drag and Drop Question
Your network contains an Active Directory forest named contoso.com. The forest contains a
Network Policy Server (NPS) server named NPS1 and a VPN server named VPN1.
VPN1 forwards all authentication requests to NPS1.
A partner company has an Active Directory forest named adatum.com.
The adatum.com forest contains an NPS server named NPS2.
You plan to grant users from adatum.com VPN access to your network.
You need to authenticate the users from adatum.com on VPN1.
What should you create on each NPS server?
To answer, drag the appropriate objects to the correct NPS servers. Each object may be used
once, more than once, or not at all. You may need to drag the split bar between panes or scroll to
view content.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 118
http://www.braindump2go.com
QUESTION 117
Hotspot Question
You have a server named LON-SVR1 that runs Windows Server 2012 R2. LON-SVR1 has the
Remote Access server role installed. LON-SVRl is located in the perimeter network.
The IPv4 routing table on LON-SVR1 is configured as shown in the following exhibit. (Click the
Exhibit button.)
Your company purchases an additional router named Router1. Router1 has an interface that
connects to the perimeter network and an interface that connects to the Internet. The IP address
of the interface that connects to the perimeter network is 172.16.0.2.
You need to ensure that LON-SVR1 will route traffic to the Internet by using Router1 if the current
default gateway is unavailable.
How should you configure the static route on LON-SVR1?
To answer, select the appropriate static route in the answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 119
http://www.braindump2go.com
Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 120
http://www.braindump2go.com
Explanation:
There is an additional default route needs to be used if the current default route is not available. If
there are multiple routes to a destination, you can with the metric to prioritize the routes to be
made. The metric defines a numerical measure of the quality of a connection when using a
particular route. The lower the value of the metric, the higher the priority of the route. By metric
example, higher bandwidth connections or lower cost compared to slower routes or expensive
compounds may be preferred.

QUESTION 118
Your network contains an Active Directory domain named contoso.com. The domain contains
client computers that run either Windows XP, Windows 7, or Windows 8. Network Policy Server
(NPS) is deployed to the domain.
You plan to create a system health validator (SHV).
You need to identify which policy settings can be Applied to all of the Windows XP computers.
Which three policy settings should you identify?
(Each correct answer presents part of the solution. Choose three.)

A. A firewall is enabled for all network connections.


B. An antispyware application is on.
C. Automatic updating is enabled.
D. Antivirus is up to date.
E. Antispyware is up to date.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 121
http://www.braindump2go.com
Answer: ACD
Explanation:
* System health agent (SHA) is a NAP component.
* System health agent (SHA)
A component that checks the state of the client computer to determine whether the settings
monitored by the SHA are up-to-date and configured correctly. For example, the Windows
Security Health Agent (WSHA) can monitor Windows Firewall, whether antivirus software is
installed, enabled, and updated, whether antispyware software is installed, enabled, and updated,
and whether Microsoft Update Services is enabled and the computer has the most recent security
updates from Microsoft Update Services. There might also be SHAs (and corresponding system
health validators) available from other companies that provide different functionality.

QUESTION 119
Your network contains an Active Directory domain named adatum.com.
You have a Group Policy object (GPO) that configures the Windows Update settings.
Currently, client computers are configured to download updates from Microsoft Update servers.
Users choose when the updates are installed.
You need to configure all client computers to install Windows updates automatically.
Which setting should you configure in the GPO?
To answer, select the appropriate setting in the answer area.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 122
http://www.braindump2go.com
Explanation:
http://support.microsoft.com/kb/328010#method1

QUESTION 120
Your network contains an Active Directory domain named contoso.com. Network Access
Protection (NAP) is deployed to the domain.
You need to create NAP event trace log files on a client computer.
What should you run?

A. Logman
B. Tracert
C. Register-EngineEvent
D. Register-ObjectEvent

Answer: A
Explanation:
You can enable NAP client tracing by using the command line. On computers running Windows
Vista®, you can enable tracing by using the NAP Client Configuration console.
NAP client tracing files are written in Event Trace Log (ETL) format. These are binary files
representing trace data that must be decoded by Microsoft support personnel. Use the –o option
to specify the directory to which they are written. In the following example, files are written
to %systemroot%\tracing\nap.
For more information, see Logman (http: //go.microsoft. com/fwlink/?LinkId=143549).
To create NAP event trace log files on a client computer
- Open a command line as an administrator.
- Type
logman start QAgentRt -p {b0278a28-76f1-4e15-b1df-14b209a12613} 0xFFFFFFFF 9 -o
%systemroot%\tracing\nap\QAgentRt. etl - ets.
Note: To troubleshoot problems with WSHA, use the following GUID: 789e8f15-0cbf-4402-
b0ed-0e22f90fdc8d.
- Reproduce the scenario that you are troubleshooting.
- Type logman stop QAgentRt -ets.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 123
http://www.braindump2go.com
- Close the command prompt window.
http://technet. microsoft. com/en-us/library/dd348461%28v=ws.10%29. Aspx

QUESTION 121
Your network contains an Active Directory domain called contoso.com. The domain contains a
member server named Server1. Server1 runs Windows Server 2012 R2.
You enable the EventLog-Application event trace session.
You need to set the maximum size of the log file used by the trace session to 10 MB.
From which tab should you perform the configuration?
To answer, select the appropriate tab in the answer area.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 124
http://www.braindump2go.com
Explanation:
Note: By default, logging stops only if you set an expiration date as part of the logging schedule.
Using the options on the Stop Condition tab, you can configure the log file to stop automatically
after a specified period of time, such as seven days, or when the log file is full (if you've set a
maximum size limit).
http://technet.microsoft.com/en-us/magazine/ff458614.aspx

QUESTION 122
Your network contains an Active Directory domain named contoso.com. The domain contains a
member server named Server1. All servers run Windows Server 2012 R2.
You need to collect the error events from all of the servers on Server1. The solution must ensure
that when new servers are added to the domain, their error events are collected automatically on
Server1.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)

A. On Server1, create a collector initiated subscription.


B. On Server1, create a source computer initiated subscription.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 125
http://www.braindump2go.com
C. From a Group Policy object (GPO), configure the Configure target Subscription Manager setting.
D. From a Group Policy object (GPO), configure the Configure forwarder resource usage setting.

Answer: BC
Explanation:
B: To set up a Source-Initiated Subscription with Windows Server 2003/2008 so that events of
interest from the Security event log of several domain controllers can be forwarded to an
administrative workstatio
C: * Group Policy
The forwarding computer needs to be configured with the address of the server to which the
events are forwarded. This can be done with the following group policy setting:
Computer configuration-Administrative templates-Windows components-Event forwarding-
Configure the server address, refresh interval, and issue certificate authority of a target
subscription manager.
* Edit the GPO and browse to Computer Configuration | Policies | Administrative Templates |
Windows Components | Event Forwarding - Configure the server address, refresh interval, and
issuer certificate authority of a target Subscription Manager

QUESTION 123
You have Windows Server 2012 R2 installation media that contains a file named Install.wim.
You need to identify which images are present in Install.wim.
What should you do?

A. Run imagex.exe and specify the/verify parameter.


B. Run imagex.exe and specify the /ref parameter.
C. Run dism.exe and specify the /get-mountedwiminfo parameter.
D. Run dism.exe and specify the /get-imageinfo parameter.

Answer: D
Explanation:
Displays information about the images that are contained in the .wim, vhd or .vhdx file, from
http://technet.microsoft.com/en-us/library/hh825258.aspx
There is another questions asking about the image permissions which the answer for that one is
Run dism.exe and specify the /get-mountedwiminfo parameter.

QUESTION 124
Your network contains an Active Directory domain named contoso.com. The domain contains a
member server that runs Windows Server 2012 R2 and has the Windows Deployment Services
(WDS) server role installed.
You create a new multicast session in WDS and connect 50 client computers to the session.
When you open the Windows Deployment Services console, you discover that all of the
computers are listed as pending devices.
You need to ensure that any of the computers on the network can join a multicast transmission
without requiring administrator approval.
What should you configure? To answer, select the appropriate tab in the answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 126
http://www.braindump2go.com
Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 127
http://www.braindump2go.com
Explanation:
Note:
Pending Devices: Depending on your PXE Response Settings, (WDS server properties), your
PXE- booting clients will appear here for approval and/or naming.
http://technet.microsoft.com/en-us/library/cc732360.aspx

QUESTION 125
Your network contains an Active Directory domain named contoso.com. The domain contains two
member servers named Server1 and Server2. All servers run Windows Server 2012 R2. Server1
and Server2 are nodes in a Hyper-V cluster named Cluster1. Cluster1 hosts 10 virtual machines.
All of the virtual machines run Windows Server 2012 R2 and are members of the domain.
You need to ensure that the first time a service named Service1 fails on a virtual machine, the
virtual machine is moved to a different node.
You configure Service1 to be monitored from Failover Cluster Manager.
What should you configure on the virtual machine?

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 128
http://www.braindump2go.com
A. From the Recovery settings of Service1, set the First failure recovery action to Restart the Service.
B. From the General settings, modify the Service status.
C. From the Recovery settings of Service1, set the First failure recovery action to Take No Action.
D. From the General settings, modify the Startup type.

Answer: C
Explanation:
Configure the virtual machine to take no action through Hyper-V if the physical computer shuts
down by modifying the Automatic Stop Action setting to None.
Virtual machine state must be managed through the Failover Clustering feature.
http://technet.microsoft.com/en-us/library/cc742396.aspx
http://windowsitpro.com/windows-server-2012/enable-windows-server-2012-failover-cluster-
hyper-v-vmmonitoring

QUESTION 126
Your network contains two servers named Server1 and Server2 that run Windows Server 2012
R2. Server1 and Server2 have the Windows Server Update Services server role installed.
Server1 synchronizes from Microsoft Update. Server2 is a Windows Server Update Services
(WSUS) replica of Server1.
You need to configure replica downstream servers to send Server1 summary information about
the computer update status.
What should you do?

A. From Server1, configure Reporting Rollup.


B. From Server2, configure Reporting Rollup.
C. From Server1, configure Email Notifications.
D. From Server2, configure Email Notifications.

Answer: A
Explanation:
WSUS Reporting Rollup Sample Tool
This tool uses the WSUS application programming interface (API) to demonstrate centralized
monitoring and reporting for WSUS. It creates a single report of update and computer status from
the WSUS servers into your WSUS environment. The sample package also contains sample
source files to customize or extend the tool functionality of the tool to meet specific needs. The
WSUS Reporting Rollup Sample Tool and files are provided AS IS. No product support is
available for this tool or sample files.
For more information read the readme file.
http://technet.microsoft.com/en-us/windowsserver/bb466192.aspx

QUESTION 127
Drag and Drop Question
Your network contains an Active Directory domain named contoso.com. The domain contains two
member servers named Server1 and Server2. All servers run Windows Server 2012 R2.
You generalize Server2.
You install the Windows Deployment Services (WDS) server role on Server1.
You need to capture an image of Server2 on Server1.
Which three actions should you perform?
To answer, move the three appropriate actions from the list of actions to the answer area and
arrange them in the correct order.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 129
http://www.braindump2go.com
Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 130
http://www.braindump2go.com
Explanation:
We can not directly add a capture image to Windows Deployment Services. We must Server1
Add a boot image first, and can then on the basis of the boot image to generate a capture image.
Server2 can capture image on the PXE boot of Server1 and upload the recording of the image
can be started.

QUESTION 128
Your network contains an Active Directory domain named adatum.com. Client computers are
deployed by using Windows Deployment Services (WDS).
From Active Directory Users and Computers on a domain controller named DO, you attempt to
create a new computer account as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that you configure computer accounts as managed accounts when you
create the computer accounts from Active Directory Users and Computers.
What should you do on DC1?

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 131
http://www.braindump2go.com
A. Install the User Interfaces and Infrastructure feature.
B. From the View menu in Active Directory Users and Computers, select Users, Contacts, Groups,
and Computers as containers.
C. Install the Windows Deployment Services Tools role administration tool.
D. From the View menu in Active Directory Users and Computers, select Advanced Features.

Answer: C
Explanation:
The Tools for Windows Deployment Services include the snap-in "Windows Deployment
Services", the command-line tool Wdsutil.exe and the Remote Installation extension for the
snap-in Active Directory Users and Computers.

After installing the tools for Windows Deployment Services are the new features on the new
object available:

Without WDS

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 132
http://www.braindump2go.com
WDS + AD (After installing the tools for Windows Deployment Services are the new features on
the new object available)

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 133
http://www.braindump2go.com
QUESTION 129
You have a server named Server1 that runs Windows Server 2012 R2. On Server1, you
configure a custom Data Collector Set (DCS) named DCS1.
You need to ensure that all performance log data that is older than 30 days is deleted

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 134
http://www.braindump2go.com
automatically.
What should you configure?

A. a File Server Resource Manager (FSRM) quota on the %Systemdrive%\PerfLogs folder


B. a schedule for DCS1
C. the Data Manager settings of DCS1
D. a File Server Resource Manager (FSRM) file screen on the %Systemdrive%\PerfLogs folder

Answer: C
Explanation:
A. Would set a quota on the logs folder, wouldnt remove old log data
B. Configures when the data set would start and stop collecting data, would not remove old log
data
C. With Data Management, you can configure how log data, reports, and compressed data are
stored for each Data Collector Set.
D. File screens allow certain types of files to prohibited from a share
http://technet.microsoft.com/en-us/library/cc722312.aspx
http://technet.microsoft.com/en-us/library/cc765998.aspx
http://technet.microsoft.com/en-us/library/cc772675(v=ws.10).aspx

QUESTION 130
You have a server named Server1 that runs Windows Server 2012 R2.
You create a custom Data Collector Set (DCS) named DCS1.
You need to configure DCS1 to meet the following requirements:

- Automatically run a program when the amount of total free disk space
on Server1 drops below 10 percent of capacity.
- Log the current values of several registry settings.

Which two should you configure in DCS1?


(Each correct answer presents part of the solution. Choose two.)

A. Configure a configuration data collector.


B. A performance counter
C. Event trace data
D. A Performance Counter Alert

Answer: AD
Explanation:
Automatically run a program when the amount of total free disk space on Admin1 drops below 10
percent of capacity.
You can also configure alerts to start applications and performance logs Log the current values of
several registry settings.
System configuration information allows you to record the state of, and changes to, registry keys.
http://technet.microsoft.com/en-us/library/cc766404.aspx

QUESTION 131
Your network contains an Active Directory domain named contoso.com. All domain controllers
run Windows Server 2012 R2. An organizational unit (OU) named OU1 contains 200 client
computers that run Windows 8 Enterprise. A Group Policy object (GPO) named GPO1 is linked to
OU1.
You make a change to GPO1.
You need to force all of the computers in OU1 to refresh their Group Policy settings immediately.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 135
http://www.braindump2go.com
The solution must minimize administrative effort.
Which tool should you use?

A. The Set-AdComputercmdlet
B. Group Policy Object Editor
C. Active Directory Users and Computers
D. Group Policy Management Console (GPMC)

Answer: D
Explanation:
In the previous versions of Windows, this was accomplished by having the user run
GPUpdate.exe on their computer. Starting with Windows Server 2012 and Windows 8, you can
now remotely refresh Group Policy settings for all computers in an OU from one central location
through the Group Policy Management Console (GPMC). Or you can use the Invoke-GPUpdate
cmdlet to refresh Group Policy for a set of computers, not limited to the OU structure, for
example, if the computers are located in the default computers container.
Note: Group Policy Management Console (GPMC) is a scriptable Microsoft Management Console
(MMC) snap-in, providing a single administrative tool for managing Group Policy across the
enterprise. GPMC is the standard tool for managing Group Policy.
Incorrect:
Not B: Secedit configures and analyzes system security by comparing your current configuration
to at least one template.
Reference: Force a Remote Group Policy Refresh (GPUpdate)

QUESTION 132
Your network contains an Active Directory domain named contoso.com. All client computers
connect to the Internet by using a server that has Microsoft Forefront Threat Management
Gateway (TMG) installed.
You deploy a server named Server1 that runs Windows Server 2012 R2.
You install the Windows Server Update Services server role on Server1. From the Windows
Server Update Services Configuration Wizard, you click Start Connecting and you receive an
HTTP error message.
You need to configure Server1 to download Windows updates from the Internet.
What should you do?

A. From the Update Services console, modify the Synchronization Schedule options.
B. From Windows Internet Explorer, modify the Connections settings.
C. From Windows Internet Explorer, modify the Security settings.
D. From the Update Services console, modify the Update Source and Proxy Server options.

Answer: D
Explanation:
A. Creates a time/schedule to synchronize the WSUS server
B. Not an IE issue
C. Not an IE issue
D. Specifies WSUS to update using MS Update or other WSUS server, configure Proxy server
information to TMG server
http://technet.microsoft.com/en-
us/library/hh852346.aspx#BKM_ConfigureWSUSusingConfigurationWizard

QUESTION 133
Your network contains a single Active Directory domain named contoso.com. The domain
contains a member server named Server1 that runs Windows Server 2012 R2. Server1 has the

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 136
http://www.braindump2go.com
Windows Server Updates Services server role installed and is configured to download updates
from the Microsoft Update servers.
You need to ensure that Server1 downloads express installation files from the Microsoft Update
servers.
What should you do from the Update Services console?

A. From the Automatic Approvals options, configure the Update Rules settings.
B. From the Products and Classifications options, configure the Classifications settings.
C. From the Products and Classifications options, configure the Products settings.
D. From the Update Files and Languages options, configure the Update Files settings.

Answer: D
Explanation:
To specify whether express installation files are downloaded during synchronization
In the left pane of the WSUS Administration console, click Options.
In Update Files and Languages, click the Update Files tab.
If you want to download express installation files, select the Download express installation files
check box. If you do not want to download express installation files, clear the check box.

http://technet.microsoft.com/en-us/library/cc708431.aspx

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 137
http://www.braindump2go.com
http://technet.microsoft.com/en-us/library/cc708431.aspx

QUESTION 134
You have a VHD that contains an image of Windows Server 2012 R2.
You plan to apply updates to the image.
You need to ensure that only updates that can install without requiring a restart are installed.
Which DISM option should you use?

A. /PreventPending
B. /Apply-Unattend
C. /Cleanup-Image
D. /Add-ProvisionedAppxPackage

Answer: A
Explanation:
-PreventPending
Skips the installation of the package if the package or Windows image has pending online actions
http://technet.microsoft.com/en-us/library/hh852164.aspx
http://technet.microsoft.com/en-us/library/dd744522(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/dd744311(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/hh824882.aspx

QUESTION 135
Your network contains an Active Directory domain named adatum.com. The domain contains a
server named WDS1 that runs Windows Server 2012 R2.
You install the Windows Deployment Services server role on WDS1.
You have a virtual machine named VM1 that runs Windows Server 2012 R2.
VM1 has several line-of-business applications installed.
You need to create an image of VM1 by using Windows Deployment Services.
Which type of image should you add to VM1 first?

A. Capture
B. Install
C. Discovery
D. Boot

Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc730907(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/jj648426.aspx
http://itadmintips.wordpress.com/2011/05/19/wds-setup-guide-part-2-boot-image-setup/

QUESTION 136
You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the Windows
Server Update Services server role installed.
You need to configure Windows Server Update Services (WSUS) to support Secure Sockets
Layer (SSL).
Which three actions should you perform? (Each correct answer presents part of the solution.
Choose three.)

A. Run the wsusutil.exe command.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 138
http://www.braindump2go.com
B. From Internet Information Services (IIS) Manager, modify the bindings of the WSUS website.
C. From Internet Information Services (IIS) Manager, modify the connection strings of the WSUS website.
D. Run the iisreset.exe command.
E. Install a server certificate.

Answer: ABE
Explanation:
http://www.vkernel.ro/blog/configure-wsus-to-use-ssl
1- First we need to request a certificate for the WSUS web site, so open IIS, click the server
name, then open Server Certificates. On the Actions pane click Create Domain Certificate.
2- To add the signing certificate to the WSUS Web site in IIS 7.0 On the WSUS server, open
Internet Information Services (IIS) Manager. Expand Sites, right-click the WSUS Web site, and
then click Edit Bindings. In the Site Binding dialog box, select the https binding, and click Edit to
open the Edit Site Binding dialog box. Select the appropriate Web server certificate in the SSL
certificate box, and then click OK. Click Close to exit the Site Bindings dialog box, and then click
OK to close Internet Information Services (IIS) Manager.
3- WSUSUtil.exe configuressl <FQDN of the software update point site system> (the name in
your certificate)
WSUSUtil.exe configuressl <Intranet FQDN of the software update point site system>.
4- The next step is to point your clients to the correct url, by modifying the existing GPO or
creating a new one. Open the policy Specify intranet Microsoft update service location and type
the new url in the form https://YourWSUSserver.
The gpupdate /force command will just download all the GPO's and re-apply them to the client, it
won't force the client to check for updates. For that you need to use wuauclt /detectnow.
http://technet.microsoft.com/en-us/library/bb680861.aspx

QUESTION 137
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs Windows Server 2012 R2. Server1 has the Windows Server
Update Services server role installed.
You have a Group Policy object (GPO) that configures the Windows Update settings.
You need to modify the GPO to configure all client computers to install Windows updates every
Wednesday at 01:00.
Which setting should you configure in the GPO?
To answer, select the appropriate setting in the answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 139
http://www.braindump2go.com
Answer:

Explanation:
The settings for this policy enable you to configure how Automatic Updates works.
You must specify that Automatic Updates download updates from the WSUS server rather than
from Windows Update.

QUESTION 138
You have a server named Server1 that runs Windows Server 2012 R2.
You need to configure Server1 to create an entry in an event log when the processor usage
exceeds 60 percent.
Which type of data collector should you create?

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 140
http://www.braindump2go.com
A. an event trace data collector
B. a performance counter data collector
C. a performance counter alert
D. a configuration data collector

Answer: C
Explanation:
Performance alerts notify you when a specified performance counter exceeds your configured
threshold by logging an event to the event log. But rather than notifying you immediately when the
counter exceeds the threshold, you can configure a time period over which the counter needs to
exceed the threshold, to avoid unnecessary alerts.

QUESTION 139
You have a VHD that contains an image of Windows Server 2012 R2.
You need to apply an update package to the image.
Which DISM option should you use?

A. /Add-ProvisionedAppxPackage
B. /Cleanup-Image
C. /Add-Package

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 141
http://www.braindump2go.com
D. /Apply-Unattend

Answer: C
Explanation:
Apply the update package (.msu) file by typing the following at a command prompt, replacing
<file_path> with the full path to the configuration set:
DISM /image:C:\MyDir\Mount /Add-Package /Packagepath:<file_path>
http://technet.microsoft.com/en-us/library/dd744311(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/dd744522(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/hh824882.aspx
http://msdn.microsoft.com/en-us/library/ff794819.aspx

QUESTION 140
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs Windows Server 2012 R2 and a server named Server2 that has
the File Services server role installed.
You install the Windows Deployment Services server role on Server1.
You plan to use Server2 as a reference computer.
You need to create an image of Server2 by using Windows Deployment Services.
Which type of image should you add to Server1 first?

A. Boot
B. Discovery
C. Install
D. Capture

Answer: A
Explanation:
Notes:
The main image types used in Windows Deployment Services are installation and boot images.
Install images
Install images are the operating system images that you deploy to the client computer. You can
use the default install image (install.wim) located on the DVD of Windows Vista or Windows
Server 2008 in the \ Sources directory.
You can also create custom install images from reference computers and deploy them to client
computers. First, you boot a computer (which has been prepared with Sysprep) into a capture
image. Then the capture image an install image of the computer is created.

Boot images
Boot images are the images with which you start a client computer before installing the operating
system image. The boot image presents a boot menu that contains the images that users can
install on their computers.
These images contain Windows PE 2.0 and the Windows Deployment Services client. You can
use the default boot image included in the \ Sources directory of the Windows Server 2008
installation media (boot.wim).
This file must be only in advanced scenarios (for example, if you must add the image driver) to be
changed. Important Only use the Boot.wim file on the Windows Server 2008 DVD.
If you boot.wim file to use on the Windows Vista DVD, you can not use all the functionality of
Windows Deployment Services (for example, multicasting). There are also two image types that
you can create from boot images:. Capture images and discover images.

Capture Images
Capture Images are boot images that allow the utility starts to record the Windows Deployment
Services in place of the setup. If a reference computer (which has been prepared with Sysprep)

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 142
http://www.braindump2go.com
start with a capture image, an install image of the reference computer is created and saved as a
WIM file with an assistant. You can also create a medium (eg, CD, DVD or USB drive) that
contains a capture image, and then boot a computer to the media. After you create the install
image, you can use the image for PXE boot deployment Add the server. These images provide
an alternative to command-line tool ImageX.exe.

Discover images
Discover images search images are boot images, which is enforced by that Setup.exe in
Windows Deployment Services mode is started. Subsequently, a Windows Deployment Services
server will be searched.
These images are typically used to deploy images to computers that are not configured for PXE
or that are in networks where PXE is not allowed. If you create a discover image and apply it to
the medium (eg, CD, DVD or Save USB drive), you can then boot a computer to the media.

The discover image on the media of the Windows Deployment Services server will be searched.
The installation image is provided by the server for the computer. You can configure discover
images so that a specific Windows Deployment Services server is used as a target. This means
that you can create a discover image when a plurality of servers in your environment for each
server and then can name each based on the name of the server.

QUESTION 141
You have a server named Server1 that runs Windows Server 2012 R2.
Server1 has the Windows Server Update Services roll installed.
Server1 stores update files locally in C:\Updates.
You need to change the location in which the updates files are stored to D:\Updates.
What should you do?

A. From the Update Services Console, run the Windows Server Update Services Configuration Wizard
B. From the command prompt, run wsusutil.exe and specify the movecontent parameter
C. From the command prompt, run wsusutil.exe and specify the export parameter
D. From the Update Services Console, configure the update Files and Languages option

Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc720466(v=ws.10).aspx

QUESTION 142
You have Site1 with 400 desktops and Site2 with 150 desktops.
You have a WSUS Server to deploy updates for both sites.
You need to make sure that all computers in the same site will have the same updates.
What should you configure?

A. Computer Groups
B. Security Groups
C. Synchronization Options
D. Classifications

Answer: A
Explanation:
WSUS allows you to target updates to groups of client computers, so you can ensure that specific
computers always get the right updates at the most convenient times. For example, if all the
computers in one department (such as the Accounting team) have a specific configuration, you
can set up a group for that team, decide which updates their computers need and what time they

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 143
http://www.braindump2go.com
should be installed, and then use WSUS reports to evaluate the updates for the team.
http://technet.microsoft.com/en-us/library/hh328559(v=ws.10).aspx

QUESTION 143
You have a WDS server named Server1 on Windows Server 2012 R2.
You need to automate the WDS deployment.
Which Tab should you configure?

A. Boot Properties
B. Client Properties
C. Network Settings
D. PXE Response Settings

Answer: B
Explanation:
On the Client tab, select Enable unattended installation, browse to the appropriate unattend file,
and then click Open.
http://technet.microsoft.com/en-us/library/dd637990(v=ws.10).aspx

QUESTION 144
Which parameter do you need to use to import GUID and MAC address?

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 144
http://www.braindump2go.com
A. /get-AutoAddDevices
B. /get-Device
C. /add
D. /enable

Answer: B
Explanation:
wdsutil /get-device /id:01-23-45-67-89-AB
wdsutil /get-device /id:0123456789AB

QUESTION 145
Your network contains an Active Directory domain named contoso.com. The domain contains a
member server named Server1. Server1 runs Windows Server 2012 and has the Windows
Deployment Services (WDS) server role installed.
You need to use WDS to deploy an image to a client computer that does not support PXE.
Which type of image should you use to start the computer?

A. boot
B. install
C. discovery
D. capture

Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/dd637996(v=ws.10).aspx
WDSUTIL /New-DiscoverImage /Image:<name> /Architecture:{x86|x64|ia64} . To specify
whichserver the
/DestinationImage /FilePath:<path and name to new file>
discover image connects to, append /WDSServer:<server nameor IP>.

QUESTION 146
Your network contains an Active Directory forest named adatum.com. All servers run Windows
Server 2012 R2. The domain contains four servers.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 145
http://www.braindump2go.com
The servers are configured as shown in the following table.

You need to deploy IP Address Management (IPAM) to manage DNS and DHCP.
On which server should you install IPAM?

A. Server1
B. Server2
C. Server3
D. Server4

Answer: D
Explanation:
IPAM can not be installed on a Domain Controller.

QUESTION 147
Your company deploys a new Active Directory forest named contoso.com. The first domain
controller in the forest runs Windows Server 2012 R2. The forest contains a domain controller
named DC10. On DC10; the disk that contains the SYSVOL folder fails.
You replace the failed disk.
You stop the Distributed File System (DFS) Replication service.
You restore the SYSVOL folder.
You need to perform a non-authoritative synchronization of SYSVOL on DC10.
Which tool should you use before you start the DFS Replication service on DC10?

A. Dfsgui. msc
B. Dfsmgmt. msc
C. Adsiedit. msc
D. Ldp

Answer: C
Explanation:
How to perform a non-authoritative synchronization of DFSR-replicated SYSVOL (like "D2"
for FRS)
- In the ADSIEDIT. MSC tool modify the following distinguished name (DN) value and attribute on
each of the domain controllers that you want to make nonauthoritative:
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSRLocalSettings,
CN=<the server name>,OU=Domain Controllers,DC=<domain> msDFSR-Enabled=FALSE
- Force Active Directory replication throughout the domain.
- Run the following command from an elevated command prompt on the same servers that you
set as non-authoritative:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 146
http://www.braindump2go.com
DFSRDIAG POLLAD
- You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being
replicated.
- On the same DN from Step 1, set:
msDFSR-Enabled=TRUE
- Force Active Directory replication throughout the domain.
- Run the following command from an elevated command prompt on the same servers that you
set as non-authoritative:
DFSRDIAG POLLAD
- You will see Event ID 4614 and 4604 in the DFSR event log indicating SYSVOL has been
initialized. That domain controller has now done a “D2” of SYSVOL.
Note: Active Directory Service Interfaces Editor (ADSI Edit) is a Lightweight Directory Access
Protocol (LDAP) editor that you can use to manage objects and attributes in Active Directory.
ADSI Edit (adsiedit. msc) provides a view of every object and attribute in an Active Directory
forest. You can use ADSI Edit to query, view, and edit attributes that are not exposed through
other Active Directory Microsoft Management Console (MMC) snapins: Active Directory Users
and Computers, Active Directory Sites and Services, Active Directory Domains and Trusts, and
Active Directory Schema.

QUESTION 148
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs Windows Server 2008 R2.
You plan to test Windows Server 2012 R2 by using native-boot virtual hard disks (VHDs).
You attach a new VHD to Server1.
You need to install Windows Server 2102 R2 in the VHD.
What should you do?

A. Run dism.exe and specify the /apply-image parameter.


B. Run dism.exe and specify the /append-image parameter.
C. Run imagex.exe and specify the /export parameter.
D. Run imagex.exe and specify the /append parameter.

Answer: A
Explanation:
On the destination computer, you will create a structure for the partitions where you apply your
images. The partition structure on the destination computer must match the partition structure of
the reference computer. If you apply an image to a volume with an existing Windows installation,
files from the previous installation may not be deleted. Format the volume by using a tool such as
DiskPart before applying the new image.

QUESTION 149
You have a server named Admin1 that runs Windows Server 2012 R2.
On Admin1, you configure a custom Data Collector Set (DCS) named DCS1. DCS1 is configured
to store performance log data in C:\Logs.
You need to ensure that the contents of C:\Logs are deleted automatically when the folder
reaches 100 MB in size.
What should you configure?

A. A File Server Resource Manager (FSRM) quota on the C:\Logs folder


B. A File Server Resource Manager (FSRM) file screen on the C:\Logs folder
C. A schedule for DCS1
D. The Data Manager settings of DCS1

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 147
http://www.braindump2go.com
Answer: D
Explanation:
http://sourcedaddy.com/windows-7/using-data-manager-view-performance-data.html

QUESTION 150
Your network contains an Active Directory domain named contoso.com.
All domain controllers run Windows Server 2012 R2.
The domain contains 500 client computers that run Windows 8.1 Enterprise and Microsoft Office
2013.
You implement a Group Policy central store.
You need to modify the default Microsoft Office 2013 Save As location for all client computers.
The solution must minimize administrative effort.
What should you configure in a Group Policy object (GPO)?

A. The Group Policy preferences


B. An application control policy
C. The Administrative Templates
D. The Software Installation settings

Answer: A
Explanation:
Group Policy preferences provide the means to simplify deployment and standardize
configurations. They add to Group Policy a centralized system for deploying preferences (that is,
settings that users can change later).
You can also use Group Policy preferences to configure applications that are not Group Policy-
aware. By using Group Policy preferences, you can change or delete almost any registry setting,
file or folder, shortcut, and more.
You are not limited by the contents of Administrative Template files.
http://technet.microsoft.com/en-us/library/dn581922.aspx

QUESTION 151
You have a server named Server1 that runs Windows Server 2012 R2.
You create a Data Collector Set (DCS) named DCS1.
You need to configure DCS1 to log data to D:\logs.
What should you do?

A. Right-click DCS1 and click Properties.


B. Right-click DCS1 and click Save template...
C. Right-click DCS1 and click Data Manager...
D. Right-click DCS1 and click Export list...

Answer: A
Explanation:
To configure data management for a Data Collector Set
1. In Windows Performance Monitor, expand Data Collector Sets and click User Defined.
2. In the console pane, right-click the name of the Data Collector Set that you want to configure
and click Data Manager.
3. On the Data Manager tab, you can accept the default values or make changes according to
your data retention policy. See the table below for details on each option.
When Minimum free disk or Maximum folders is selected, previous data will be deleted according
to the Resource policy you choose (Delete largest or Delete oldest) when the limit is reached.
When Apply policy before the data collector set starts is selected, previous data will be deleted
according to your selections before the data collector set creates its next log file.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 148
http://www.braindump2go.com
When Maximum root path size is selected, previous data will be deleted according to your
selections when the root log folder size limit is reached.
4. Click the Actions tab. You can accept the default values or make changes.
See the table below for details on each option.
5. When you have finished making your changes, click OK.

QUESTION 152
You have a server named WSUS1 that runs Windows Server 2012 R2. WSUS1 has the Windows
Server Update Services server role installed and has one volume.
You add a new hard disk to WSUS1 and then create a volume on the hard disk.
You need to ensure that the Windows Server Update Services (WSUS) update files are stored on
the new volume.
What should you do?

A. From a command prompt, run wsusutil.exe and specify the movecontent parameter.
B. From the Update Services console, run the Windows Server Update Services Configuration Wizard.
C. From the Update Services console, configure the Update Files and Languages option.
D. From a command prompt, run wsusutil.exe and specify the export parameter.

Answer: A
Explanation:
A. configuration wizard will be run immediately after installation or at a later time. If you want to
change the configuration later, you run WSUS Server Configuration Wizard from the Options
page of the WSUS 3.0 Administration console
B. Changes the file system location where the WSUS server stores update files, and optionally
copies any update files from the old location to the new location
C. The export command enables you to export update metadata to an export package file. You
cannot use this parameter to export update files, update approvals, or server settings.
D. Allows you to specify where store downloaded update file, will not move already downloaded
updates
http://technet.microsoft.com/en-us/library/cc720475(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc708480(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc720466(v=ws.10).aspx

QUESTION 153
You have a server named FS1 that runs Windows Server 2012 R2.
You install the File and Storage Services server role on FS1. From Windows Explorer, you view
the properties of a shared folder named Share1 and you discover that the Classification tab is
missing.
You need to ensure that you can assign classifications to Share1 from Windows Explorer
manually.
What should you do?

A. From Folder Options, clear Use Sharing Wizard (Recommend).


B. Install the File Server Resource Manager role service.
C. From Folder Options, select Show hidden files, folders, and drives.
D. Install the Enhanced Storage feature.

Answer: B

QUESTION 154
Your network contains an Active Directory domain named contoso.com. The domain contains a

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 149
http://www.braindump2go.com
file server named Server1. The File Server Resource Manager role service is installed on
Server1. All servers run Windows Server 2012 R2. A Group Policy object (GPO) named GPO1 is
linked to the organizational unit (OU) that contains Server1.
The following graphic shows the configured settings in GPO1.

Server1 contains a folder named Folder1. Folder1 is shared as Share1.


You attempt to configure access-denied assistance on Server1, but the Enable accessdenied
assistance option cannot be selected from File Server Resource Manager.
You need to ensure that you can configure access- denied assistance on Server1 manually by
using File Server Resource Manager.
What should you do?

A. Set the Customize message for Access Denied errors policy setting to Enabled for GPO1.
B. Set the Enable access-denied assistance on client for all file types policy setting to Enabled for GPO1.
C. Set the Customize message for Access Denied errors policy setting to Not Configured for GPO1.
D. Set the Enable access-denied assistance on client for all file types policy setting to Disabled for GPO1.

Answer: C
Explanation:
Ensure that you can configure access-denied assistance
http://technet.microsoft.com/en-us/library/hh831402.aspx#BKMK_1

QUESTION 155
Your network contains multiple Active Directory sites.
You have a Distributed File System (DFS) namespace that has a folder target in each site.
You discover that some client computers connect to DFS targets in other sites.
You need to ensure that the client computers only connect to a DFS target in their respective site.
What should you modify?

A. The properties of the Active Directory sites


B. The properties of the Active Directory site links
C. The delegation settings of the namespace
D. The referral settings of the namespace

Answer: D
Explanation:
A. A site is a set of well-connected subnets.
B. To control which sites replicate directly with each other

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 150
http://www.braindump2go.com
C. Determines the users and groups granted permissions to manage the replication group
D. A referral is an ordered list of servers that a client computer receives from a domain controller
or namespace server when the user accesses a namespace root or DFS folder with targets. After
the computer receives the referral, the computer attempts to access the first server in the list. If
the server is not available, the client computer attempts to access the next server. If a server
becomes unavailable, you can configure clients to fail back to the preferred server after it
becomes available.
http://www.windowsnetworking.com/articles_tutorials/Configuring-DFS-Namespaces.html
http://technet.microsoft.com/en-us/library/cc794914(v=ws.10).aspx

QUESTION 156
Your network contains an Active Directory domain named contoso.com.
You have a failover cluster named Cluster1. All of the nodes in Cluster1 have BitLocker Drive
Encryption (BitLocker) installed.
You plan to add a new volume to the shared storage of Cluster1.
You need to add the new volume to the shared storage.
The solution must meet the following requirements:

- Encrypt the volume.


- Avoid using maintenance mode on the cluster.

Which three actions should you perform?


To answer, move the three appropriate actions from the list of actions to the answer area and
arrange them in the correct order.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 151
http://www.braindump2go.com
Explanation:

Among the new features of Windows Server 2012 and Windows Server 2012 R2 includes the
ability to both conventional Cluster Disk and Cluster Shared Volumes with BitLocker Drive
Encryption to encrypt. Volumes can be encrypted before they are added to the cluster as storage.
Alternatively, a volume are also still encrypted when it is already in use by the cluster. In the latter
case the volume but must be added before encryption into maintenance mode. Another new
feature of the failover cluster in Windows Server 2012 and Windows Server 2012 R2 is the ability
to switch, instead of the entire cluster only individual volumes into maintenance mode.

QUESTION 157
Your network contains an Active Directory domain named contoso.com. The domain functional
level in Windows Server 2008. All domain controllers run Windows Server 2008 R2. The domain
contains a file server named Server1 that runs Windows Server 2012 R2. Server1 has a
BitLocker Drive Encryption (BitLocker)-encrypted drive. Server1 uses a trusted Platform Module
(TPM) chip.
You enable the Turn on TPM backup to Active Directory Domain Services policy setting by using

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 152
http://www.braindump2go.com
a Group Policy object (GPO).
You need to ensure that you can back up the BitLocker recovery information to Active Directory.
What should you do?

A. Upgrade a domain controller to Windows 2012.


B. Enable the Store BitLocker recovery information in the Active Directory Services (Windows Server2008
and Windows Vista) policy settings.
C. Raise the forest functional level to Windows 2008 R2.
D. Add a BitLocker data recovery agent

Answer: B
Explanation:
You should also configure AD DS before configuring BitLocker on client computers. If BitLocker is
enabled first, recovery information for those computers will not be automatically added to AD DS.
If necessary, recovery information can be backed up to AD DS after BitLocker has been enabled
by using either the Manage-bde command-line tool or the BitLocker Windows Management
Instrumentation (WMI) provider.
http://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx

QUESTION 158
Your company has a main office and a branch office. The main office is located in Seattle. The
branch office is located in Montreal. Each office is configured as an Active Directory site. The
network contains an Active Directory domain named adatum.com. The Seattle office contains a
file server named Server1. The Montreal office contains a file server named Server2. The servers
run Windows Server 2012 R2 and have the File and Storage Services server role, the DFS
Namespaces role service, and the DFS Replication role service installed. Server1 and Server2
each have a share named Share1 that is replicated by using DFS Replication.
You need to ensure that users connect to the replicated folder in their respective office when they
connect to \\contoso.com\Share1.
Which three actions should you perform?
(Each correct answer presents part of the solution. Choose three.)

A. Create a replication connection.


B. Create a namespace.
C. Share and publish the replicated folder.
D. Create a new topology.
E. Modify the Referrals settings.

Answer: BCE
Explanation:
To share a replicated folder and publish it to a DFS namespace Click Start, point to
Administrative Tools, and then click DFS Management. In the console tree, under the Replication
node, click the replication group that contains the replicated folder you want to share. In the
details pane, on the Replicated Folders tab, right-click the replicated folder that you want to
share, and then click Share and Publish in Namespace. In the Share and Publish Replicated
Folder Wizard, click Share and publish the replicated folder in a namespace, and then follow the
steps in the wizard.
Note that: If you do not have an existing namespace, you can create one in the Namespace Path
page in the Share and Publish Replicated Folder Wizard. To create the namespace, in the
Namespace Path page, click Browse, and then click New Namespace.
To create a namespace
Click Start, point to Administrative Tools, and then click DFS Management.
In the console tree, right-click the Namespaces node, and then click New Namespace. Follow the

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 153
http://www.braindump2go.com
instructions in the New Namespace Wizard.
To create a stand-alone namespace on a failover cluster, specify the name of a clustered file
server instance on the Namespace Server page of the New Namespace Wizard.
Important
Do not attempt to create a domain-based namespace using the Windows Server 2008 mode
unless the forest functional level is Windows Server 2003 or higher. Doing so can result in a
namespace for which you cannot delete DFS folders, yielding the following error message: "The
folder cannot be deleted. Cannot complete this function."
http://technet.microsoft.com/en-us/library/cc731531.aspx
http://technet.microsoft.com/en-us/library/cc772778%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc732414.aspx
http://technet.microsoft.com/en-us/library/cc772379.aspx
http://technet.microsoft.com/en-us/library/cc732863%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc725830.aspx
http://technet.microsoft.com/en-us/library/cc771978.aspx

QUESTION 159
You have a server named Server1 that runs Windows Server 2012 R2. An administrator creates
a quota as shown in the Quota exhibit. (Click the Exhibit button.)

You run the dir command as shown in the Dir exhibit. (Click the Exhibit button.)

You need to ensure that D:\Folder1 can only consume 100 MB of disk space.
What should you do?

A. From File Server Resource Manager, edit the existing quota.


B. From the properties of drive D, enable quota management.
C. From the Services console, set the Startup Type of the Optimize drives service to Automatic.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 154
http://www.braindump2go.com
D. From File Server Resource Manager, create a new quota.

Answer: D
Explanation:
Create a new Quota on path, without using the auto apply template and create quota on existing
and new subfolders.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 155
http://www.braindump2go.com
http://technet.microsoft.com/en-us/library/cc755603(v=ws.10).aspx

QUESTION 160
Your network contains an Active Directory domain named contoso.com. All servers run Windows
Server 2012 R2. The domain contains an organizational unit (OU) named FileServers_OU.
FileServers_OU contains the computer accounts for all of the file servers in the domain.
You need to audit the users who successfully access shares on the file servers.
Which audit category should you configure?
To answer, select the appropriate category in the answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 156
http://www.braindump2go.com
Answer:

Explanation:
http://technet.microsoft.com/en-us/library/hh831382.aspx
http://technet.microsoft.com/en-us/library/cc766468(v=ws.10).aspx

QUESTION 161
Your network contains an Active Directory domain named contoso.com.
The domain does not contain a certification authority (CA).
All servers run Windows Server 2012 R2.
All client computers run Windows 8.
You need to add a data recovery agent for the Encrypting File System (EFS) to the domain.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)

A. From Windows PowerShell, run Get-Certificate.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 157
http://www.braindump2go.com
B. From the Default Domain Controllers Policy, select Create Data Recovery Agent.
C. From the Default Domain Policy, select Add Data Recovery Agent.
D. From a command prompt, run cipher.exe.
E. From the Default Domain Policy, select Create Data Recovery Agent.
F. From the Default Domain Controllers Policy, select Add Data Recovery Agent.

Answer: CD
Explanation:
http://technet.microsoft.com/en-us/library/cc771346.aspx
cipher /r: Generates an EFS recovery agent key and certificate, then writes them to a .pfx file
(containing certificate and private key) and a .cer file (containing only the certificate).
If /smartcard is specified, it writes the recovery key and certificate to a smart card, and no .pfx file
is generated.

QUESTION 162
Your network contains an Active Directory domain named adatum.com. All domain controllers run
Windows Server 2008 R2. The domain contains a file server named Server6 that runs Windows
Server 2012 R2. Server6 contains a folder named Folder1. Folder1 is shared as Share1.
The NTFS permissions on Folder1 are shown in the exhibit. (Click the Exhibit button.)

The domain contains two global groups named Group1 and Group2.
You need to ensure that only users who are members of both Group1 and Group2 are denied
access to Folder1.
Which two actions should you perform?
(Each correct answer presents part of the solution. Choose two.)

A. Remove the Deny permission for Group1 from Folder1.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 158
http://www.braindump2go.com
B. Deny Group2 permission to Folder1.
C. Install a domain controller that runs Windows Server 2012 R2.
D. Create a conditional expression.
E. Deny Group2 permission to Share1.
F. Deny Group1 permission to Share1.

Answer: AD
Explanation:
* Conditional Expressions for Permission Entries Windows Server 2008 R2 and Windows 7
enhanced Windows security descriptors by introducing a conditional access permission entry.
Windows Server 2012 R2 takes advantage of conditional access permission entries by inserting
user claims, device claims, and resource properties, into conditional expressions. Windows
Server 2012 R2 security evaluates these expressions and allows or denies access based on
results of the evaluation. Securing access to resources through claims is known as claims-based
access control. Claims-based access control works with traditional access control to provide an
additional layer of authorization that is flexible to the varying needs of the enterprise environment.
http://social.technet.microsoft.com/wiki/contents/articles/14269.introducing-dynamicaccess-
control-en-us.aspx

QUESTION 163
You have 20 servers that run Windows Server 2012 R2.
You need to create a Windows PowerShell script that registers each server in Windows Azure
Online Backup and sets an encryption passphrase.
Which two PowerShell cmdlets should you run in the script?
(Each correct answer presents part of the solution. Choose two.)

A. New-OBPolicy
B. New-OBRetentionPolicy
C. Add-OBFileSpec
D. Start-OBRegistration
E. Set OBMachineSetting

Answer: DE
Explanation:
D: Start-OBRegistration
Registers the current computer with Windows Azure Online Backup using the credentials
(username and password) created during enrollment.
E: The Set-OBMachineSettingcmdlet sets aOBMachineSetting object for the server that includes
proxy server settings for accessing the internet, network bandwidth throttling settings, and the
encryption passphrase that is required to decrypt the files during recovery to another server.
Incorrect:
Not C: TheAdd-OBFileSpeccmdlet adds theOBFileSpecobject, which specifies the items to
include or exclude from a backup, to the backup policy (OBPolicyobject).
TheOBFileSpecobject can include or exclude multiple files, folders, or volumes.
http://technet.microsoft.com/en-us/library/hh770416(v=wps.620).aspx
http://technet.microsoft.com/en-us/library/hh770425(v=wps.620).aspx
http://technet.microsoft.com/en-us/library/hh770424.aspx
http://technet.microsoft.com/en-us/library/hh770398.aspx
http://technet.microsoft.com/en-us/library/hh770409.aspx

QUESTION 164
You have 30 servers that run Windows Server 2012 R2. All of the servers are backed up daily by

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 159
http://www.braindump2go.com
using Windows Azure Online Backup.
You need to perform an immediate backup of all the servers to Windows Azure Online Backup.
Which Windows PowerShell cmdlets should you run on each server?

A. Start-OBRegistration | Start-OBBackup
B. Get-OBPolicy | Start-OBBackup
C. Get-WBBackupTarget | Start-WBBackup
D. Get-WBPolicy | Start-WBBackup

Answer: B
Explanation:
A. starts a backup job using a policy
B. Registers the current computer to Windows Azure Backup.
C. Not using Azure
D. Not using Azure
http://technet.microsoft.com/en-us/library/hh770406(v=wps.620).aspx
http://technet.microsoft.com/en-us/library/hh770426.aspx
http://technet.microsoft.com/en-us/library/hh770398.aspx

QUESTION 165
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs Windows Server 2012 R2.
Server1 has the File Server Resource Manager role service installed.
You configure a quota threshold as shown in the exhibit. (Click the Exhibit button.)

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 160
http://www.braindump2go.com
You need to ensure that a user named User1 receives an email notification when the threshold is
exceeded.
What should you do?

A. Configure the File Server Resource Manager Options.


B. Modify the members of the Performance Log Users group.
C. Create a performance counter alert.
D. Create a classification rule.

Answer: A
Explanation:
A. When you create quotas and file screens, you have the option of sending e-mail notifications to
users when their quota limit is approaching or after they have attempted to save files that have
been blocked
B. Members of this group can manage performance counters, logs and alerts on the server locally
and from remote clients without being a member of the Administrators group.
C. You can set an alert on a counter, thereby defining that a message be sent, a program be run,
an entry made to the application event log, or a log be started when the selected counter's value
exceeds or falls below a specified setting.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 161
http://www.braindump2go.com
D. File Classification Infrastructure provides insight into your data by automating classification
processes so that you can manage your data more effectively. You can classify files and apply
policies based on this classification. Example policies include dynamic access control for
restricting access to files, file encryption, and file expiration. Files can be classified automatically
by using file classification rules or manually by modifying the properties of a selected file or folder.
http://technet.microsoft.com/en-us/library/cc756031(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc785098(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/bb490759.aspx
http://technet.microsoft.com/en-us/library/hh831701.aspx

QUESTION 166
You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the File
Server Resource Manager role service installed. Server1 has a folder named Folder1 that is used
by the sales department.
You need to ensure that an email notification is sent to the sales manager when a File Screening
Audit report is generated.
What should you configure on Server1?

A. A file screen exception


B. A file group
C. A storage report task
D. A file screen

Answer: C
Explanation:
A. A file screen exception is a special type of file screen that overrides any file screening that
would otherwise apply to a folder and all its subfolders in a designated exception path. That is, it
creates an exception to any rules derived from a parent folder.
B. A file group is used to define a namespace for a file screen, file screen exception, or Files by
File Group storage report.
C. file screening report will identify individuals or applications that violate file screening policy,
To set e-mail notifications and certain reporting capabilities, you must first configure the general
File Server Resource Manager options.
D. Control the types of files that users can save
http://technet.microsoft.com/en-us/library/cc730822.aspx
http://technet.microsoft.com/en-us/library/cc770594.aspx
http://technet.microsoft.com/en-us/library/cc771212.aspx
http://technet.microsoft.com/en-us/library/cc732074.aspx
http://technet.microsoft.com/en-us/library/cc755988.aspx

QUESTION 167
Your network contains an Active Directory domain named contoso.com. The domain contains two
servers named Server1 and Server2. Both servers run Windows Server 2012 R2. Both servers
have the File and Storage Services server role. The DFS Namespaces role service, and the DFS
Replication role service installed. Server1 and Server2 are part of a Distributed File System
(DFS) Replication group named Group1. Server1 and Server2 are separated by a low-speed
WAN connection.
You need to limit the amount of bandwidth that DFS can use to replicate between Server1 and
Server2.
What should you modify?

A. The referral ordering of the namespace


B. The cache duration of the namespace

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 162
http://www.braindump2go.com
C. The schedule of the replication group
D. The staging quota of the replicated folder

Answer: C
Explanation:
A. A referral is an ordered list of targets that a client computer receives from a domain controller
or namespace server when the user accesses a namespace root or folder with targets in the
namespace. You can adjust how long clients cache a referral before requesting a new one.
B. DFS Replication uses staging folders for each replicated folder to act as caches for new and
changed files that are ready to be replicated from sending members to receiving members.
C. A referral is an ordered list of targets that a client computer receives from a domain controller
or namespace server when the user accesses a namespace root or folder with targets. After the
client receives the referral, the client attempts to access the first target in the list. If the target is
not available, the client attempts to access the next target.
D. Scheduling allows less bandwidth the by limiting the time interval of the replication
http://technet.microsoft.com/en-us/library/cc771251.aspx
http://technet.microsoft.com/en-us/library/cc754229.aspx
http://technet.microsoft.com/en-us/library/cc732414.aspx
http://technet.microsoft.com/en-us/library/cc753923.aspx

QUESTION 168
You have five servers that run Windows Server 2012 R2. The servers have the Failover
Clustering feature installed.
You deploy a new cluster named Cluster1. Cluster1 is configured as shown in the following table.

Server1, Server2, and Server3 are configured as the preferred owners of the cluster roles.
Dynamic quorum management is disabled.
You plan to perform hardware maintenance on Server3.
You need to ensure that if the WAN link between Site1 and Site2 fails while you are performing
maintenance on Servers, the cluster resource will remain available in Site1.
What should you do?

A. Add a file share witness in Site1.


B. Remove the node vote for Server3.
C. Remove the node vote for Server4 and Server5.
D. Enable dynamic quorum management.

Answer: C

QUESTION 169
Your network contains an Active Directory domain named contoso.com. The domain contains a
file server named Server1 that runs Windows Server 2012 R2.
You view the effective policy settings of Server1 as shown in the exhibit. (Click the Exhibit
button.)

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 163
http://www.braindump2go.com
On Server1, you have a folder named C:\Share1 that is shared as Share1. Share1 contains
confidential data. A group named Group1 has full control of the content in Share1.
You need to ensure that an entry is added to the event log whenever a member of Group1
deletes a file in Share1.
What should you configure?

A. The Audit File System setting of Servers GPO


B. The Sharing settings of C:\Share1
C. The Security settings of C:\Share1
D. The Audit File Share setting of Servers GPO

Answer: C
Explanation:
Access to objects, such as files and folders can be audited using the advanced security setting
auditing tab on Share1 and adding Group1 and selecting the delete check box
http://technet.microsoft.com/en-us/library/cc753927(v=ws.10).aspx
http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/13779c78-0c73-4477-
8014-f2eb10f3f10f/

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 164
http://www.braindump2go.com
QUESTION 170
You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the File
Server Resource Manager role service installed.
Server1 has a folder named Folder1 that is used by the human resources department.
You need to ensure that an email notification is sent immediately to the human resources
manager when a user copies an audio file or a video file to Folder1.
What should you configure on Server1?

A. A file screen
B. A file screen exception
C. A file group
D. A storage report task

Answer: A
Explanation:
A. Create file screens to control the types of files that users can save, and generate notifications
when users attempt to save unauthorized files
B. A file screen exception is a special type of file screen that overrides any file screening that
would otherwise apply to a folder and all its subfolders in a designated exception path. That is, it
creates an exception to any rules derived from a parent folder.
C. File are a group of file classified by extension (i.e. Images: ,jpg, .gif, etc..)
D. Create reports based on file use
http://technet.microsoft.com/en-us/library/cc732074.aspx http://technet.microsoft.com/en-
us/library/cc730822.aspx http://technet.microsoft.com/en-us/library/cc755988(v=ws.10).aspx

QUESTION 171
Your network contains an Active Directory domain named contoso.com. The domain contains two
servers named Server1 and Server2. Both servers run Windows Server 2012 R2. Both servers
have the File and Storage Services server role, the DFS Namespace role service, and the DFS
Replication role service installed. Server1 and Server2 are part of a Distributed File System
(DFS) Replication group named Group1.
Server1 and Server2 are connected by using a high-speed LAN connection.
You need to minimize the amount of processor resources consumed by DFS Replication.
What should you do?

A. Reduce the bandwidth usage.


B. Disable Remote Differential Compression (RDC).
C. Modify the staging quota.
D. Modify the replication schedule.

Answer: B
Explanation:
Because disabling RDC can help conserve disk input/output (I/O) and CPU resources, you might
want to disable RDC on a connection if the sending and receiving members are in a local area
network (LAN), and bandwidth use is not a concern. However, in a LAN environment where
bandwidth is contended, RDC can be beneficial when transferring large files.
Question tells it uses a high-speed LAN connection.
http://technet.microsoft.com/en-us/library/cc758825%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc754229.aspx

QUESTION 172
Your company has a main office and two branch offices.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 165
http://www.braindump2go.com
The main office is located in New York. The branch offices are located in Seattle and Chicago.
The network contains an Active Directory domain named contoso.com.
An Active Directory site exists for each office. Active Directory site links exist between the main
office and the branch offices. All servers run Windows Server 2012 R2.
The domain contains three file servers.
The file servers are configured as shown in the following table.

You implement a Distributed File System (DFS) replication group named Rep1Group.
Rep1Group is used to replicate a folder on each file server.
Rep1Group uses a hub and spoke topology. NYC-SVR1 is configured as the hub server.
You need to ensure that replication can occur if NYC-SVR1 fails.
What should you do?

A. Create an Active Directory site link.


B. Modify the properties of Rep1Group.
C. Create an Active Directory site link bridge.
D. Create a connection in Rep1Group.

Answer: D
Explanation:
http://faultbucket.ca/2012/08/fixing-a-dfsr-connection-problem/
http://faultbucket.ca/2012/08/fixing-a-dfsr-connection-problem/
http://technet.microsoft.com/en-us/library/cc771941.aspx

QUESTION 173
You have a server named Server1 that runs Windows Server 2012 R2.
You plan to create an image of Server1.
You need to remove the source files for all server roles that are not installed on Server1.
Which tool should you use?

A. Ocsetup.exe
B. Servermanagercmd.exe
C. Imagex.exe
D. Dism.exe

Answer: D
Explanation:
servermanagercmd.exe - The ServerManagerCmd.exe command-line tool has been deprecated
in WindowsServer 2008 R2.
imagex.exe - ImageX is a command-line tool in Windows Vista that you can use to create and
manageWindows image (.wim) files. A .wim file contains one or more volume images, disk
volumes that containimages of an installed Windows operating system. dism.exe - Deployment
Image Servicing and Management (DISM.exe) is a command-line tool that canbe used to service
a Windows?image or to prepare a Windows Preinstallation Environment (WindowsPE) image. It
replaces Package Manager (Pkgmgr.exe), PEimg, and Intlcfg that were included inWindows
Vista? The functionality that was included in these tools is now consolidated in one

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 166
http://www.braindump2go.com
tool(DISM.exe), and new functionality has been added to improve the experience for offline
servicing. DISMcan Add, remove, and enumerate packages. ocsetup.exe - The Ocsetup.exe tool
is used as a wrapper for Package Manager (Pkgmgr.exe) and for WindowsInstaller
(Msiexec.exe). Ocsetup.exe is a command-line utility that can be used to perform scripted installs
andscripted uninstalls of Windows optional components. The Ocsetup.exe tool replaces the
Sysocmgr.exe tool thatWindows XP and Windows Server 2003i use.

http://technet.microsoft.com/en-us/library/hh824822.aspx
http://blogs.technet.com/b/joscon/archive/2010/08/26/adding-features-with-dism.aspx
http://technet.microsoft.com/en-us/library/hh831809.aspx
http://technet.microsoft.com/en-us/library/hh825265.aspx

QUESTION 174
Your domain has contains a Windows 8 computer name Computer1 using BitLocker.
The E:\ drive is encrypted and currently locked.
You need to unlock the E:\ drive with the recovery key stored on C:\
What should you run?

A. Unlock-BitLocker
B. Suspend-BitLocker
C. Enable-BitLockerAutoUnloc
D. Disable-BitLocker

Answer: A
Explanation:
Restores access to data on a BitLocker volume.
http://technet.microsoft.com/en-us/library/jj649833(v=wps.620).aspx

QUESTION 175
Your network contains and active Directory domain named contoso.com.
The doman contains a server named Server1 that runs Windows Server 2012 R2.
A local account named Admin1 is a member of the Administrators group on Server1.
You need to generate an audit event whenever Admin1 is denied access to a file or folder.
What should you run?

A. auditpol.exe /set /user:admin1 /category:"detailed tracking" /failure:enable


B. auditpol.exe /set/user:admin1 /failure:enable
C. auditpol.exe /resourcesacl /set /type:keyauditpol.exe /resourcesacl /set /type: /access:ga
D. auditpol.exe /resourcesacl /set /type:file /user:admin1 /failure

Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/ff625687.aspx

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 167
http://www.braindump2go.com
set a global resource SACL to audit successful and failed attempts by a user to perform generic
read and write functions on files or folders:
auditpol /resourceSACL /set /type:File /user:MYDOMAINmyuser /success /failure /access:FRFW
http://technet.microsoft.com/en-us/library/ff625687%28v=ws.10%29.aspx Syntax
auditpol /resourceSACL
[/set /type:<resource> [/success] [/failure] /user:<user> [/access:<access flags>]] [/remove
/type:<resource> /user:<user> [/type:<resource>]] [/clear [/type:<resource>]]
[/view [/user:<user>] [/type:<resource>]]
http://technet.microsoft.com/en-us/library/ff625687%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/ff625687%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/ff625687.aspx
http://technet.microsoft.com/en-us/library/ff625687%28v=ws.10%29.aspx

QUESTION 176
Your network contains an Active Directory domain named contoso.com. The domain contains a
file server named Server1 that runs Windows Server 2012 R2.
You view the effective policy settings of Server1 as shown in the exhibit. (Click the Exhibit
button.)

You need to ensure that an entry is added to the event log whenever a local user account is
created or deleted on Server1.
What should you do?

A. In Servers GPO, modify the Advanced Audit Configuration settings.


B. On Server1, attach a task to the security log.
C. In Servers GPO, modify the Audit Policy settings.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 168
http://www.braindump2go.com
D. On Server1, attach a task to the system log.

Answer: A
Explanation:
When you use Advanced Audit Policy Configuration settings, you need to confirm that these
settings are not overwritten by basic audit policy settings. The following procedure shows how to
prevent conflicts by blocking the application of any basic audit policy settings.
Enabling Advanced Audit Policy Configuration
Basic and advanced audit policy configurations should not be mixed. As such, it's best practice to
enable Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit
policy category settings in Group Policy to make sure that basic auditing is disabled. The setting
can be found under Computer Configuration\Policies\Security Settings\Local Policies\Security
Options, and sets the SCENoApplyLegacyAuditPolicy registry key to prevent basic auditing being
applied using Group Policy and the Local Security Policy MMC snap-in.
In Windows 7 and Windows Server 2008 R2, the number of audit settings for which success and
failure can be tracked has increased to 53. Previously, there were nine basic auditing settings
under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit
Policy. These 53 new settings allow you to select only the behaviors that you want to monitor and
exclude audit results for behaviors that are of little or no concern to you, or behaviors that create
an excessive number of log entries. In addition, because Windows 7 and Windows Server 2008
R2 security audit policy can be applied by using domain Group Policy, audit policy settings can be
modified, tested, and deployed to selected users and groups with relative simplicity.
Audit Policy settings
Any changes to user account and resource permissions.
Any failed attempts for user logon.
Any failed attempts for resource access.
Any modification to the system files.
Advanced Audit Configuration SettingsAudit compliance with important business-related and
security-related rules by tracking precisely defined activities, such as:
A group administrator has modified settings or data on servers that contain finance information.
An employee within a defined group has accessed an important file. The correct system access
control list (SACL) is applied to every file and folder or registry key on a computer or file share as
a verifiable safeguard against undetected access.
In Servers GPO, modify the Audit Policy settings - enabling audit account management setting
will generate events about account creation, deletion and so on.
Advanced Audit Configuration SettingsAdvanced Audit Configuration Settings ->Audit Policy
-> Account Management -> Audit User Account Management

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 169
http://www.braindump2go.com
In Servers GPO, modify the Audit Policy settings - enabling audit account management setting
will generate events about account creation, deletion and so on.

http://blogs.technet.com/b/abizerh/archive/2010/05/27/tracing-down-user-and-computer-account-
deletion-in-active-directory.aspx
http://technet.microsoft.com/en-us/library/dd772623%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/jj852202(v=ws.10).aspx
http://www.petri.co.il/enable-advanced-audit-policy-configuration-windows-server.htm
http://technet.microsoft.com/en-us/library/dd408940%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/dd408940%28v=ws.10%29.aspx#BKMK_step2

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 170
http://www.braindump2go.com
QUESTION 177
You have 3 server that runs Windows Server 2012 R2.
The server contains the disks configured as shown in the following table.

You need to create a volume that can store up to 3 TB of user files.


The solution must ensure that the user files are available if one of the disks in the volume fails.
What should you create?

A. A storage pool on Disk 2 and Disk 3


B. A mirrored volume on Disk 2 and Disk 3
C. A storage pool on Disk 1 and Disk 3
D. A mirrored volume on Disk l and Disk 4
E. Raid 5 Volume out of Disks 1, 2 and 3

Answer: B
Explanation:
A. Storage pool can't use Dynamic disk
B. Mirrored volume will be > 3Tb
C. Storage pool can't use Dynamic disk
D. is impossible, we need 3Tb of disk space
E. Raid5 need to be on dynamic disk

QUESTION 178
You perform a Server Core Installation of Windows Server 2012 R2 on a server named Server1.
You need to add a graphical user interface (GUI) to Server1.
Which tool should you use?

A. the Add-WindowsPackagecmdlet
B. the Add-WindowsFeaturecmdlet
C. the Install-Module cmdlet
D. the Install-RoleServicecmdlet

Answer: B

QUESTION 179
Your network contains an Active Directory domain named contoso.com. The domain contains a
Web server named www.contoso.com. The Web server is available on the Internet.
You implement DirectAccess by using the default configuration.
You need to ensure that users never attempt to connect to www.contoso.com by using

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 171
http://www.braindump2go.com
DirectAccess.
The solution must not prevent the users from using DirectAccess to access other resources in
contoso.com.
Which settings should you configure in a Group Policy object (GPO)?

A. Name Resolution Policy


B. DNS Client
C. Network Connections
D. DirectAccess Client Experience Settings

Answer: A
Explanation:
For DirectAccess, the NRPT must be configured with the namespaces of your intranet with a
leading dot (for example, .internal.contoso.com or .corp.contoso.com). For a DirectAccess client,
any name request that matches one of these namespaces will be sent to the specified intranet
Domain Name System (DNS) servers.
Include all intranet DNS namespaces that you want DirectAccess client computers to access.
There are no command line methods for configuring NRPT rules. You must use Group Policy
settings. To configure the NRPT through Group Policy, use the Group Policy add-in at Computer
Configuration \Policies\Windows Settings\Name Resolution Policy in the Group Policy object for
DirectAccess clients. You can create a new NRPT rule and edit or delete existing rules. For more
information, see Configure the NRPT with Group Policy.

QUESTION 180
You have a DNS server named Server1. Server1 has a primary zone named contoso.com. Zone
Aging/ Scavenging is configured for the contoso.com zone. One month ago, an Administrator
removed a server named Server2 from the network.
You discover that a static resource record for Server2 is present in contoso.com. Resource
records for decommissioned client computers are removed automatically from contoso.com.
You need to ensure that the static resource records for all of the servers are removed
automatically from contoso.com.
What should you modify?

A. The Security settings of the static resource records


B. The Expires after value of contoso.com
C. The Record time stamp value of the static resource records
D. The time-to-live (TTL) value of the static resource records

Answer: C
Explanation:
C. reset and permit them to use a current (non-zero) time stamp value. This enables these
records to become aged and scavenged.
D. For most resource records, this field is optional. It indicates a length of time used by other DNS
servers to determine how long to cache information for a record before expiring and discarding it.
http://technet.microsoft.com/en-us/library/cc771677.aspx
http://technet.microsoft.com/en-us/library/cc758321(v=ws.10).aspx

QUESTION 181
You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the Remote
Access server role installed.
You need to configure the ports on Server1 to ensure that client computers can establish VPN
connections to Server1 by using TCP port 443.
What should you modify? To answer, select the appropriate object in the answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 172
http://www.braindump2go.com
Answer:

Explanation:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 173
http://www.braindump2go.com
http://technet.microsoft.com/en-us/library/cc771298(v=ws.10).aspx
Secure Socket Tunneling Protocol (SSTP) is a new tunneling protocol that uses the HTTPS
protocol over TCP port 443 to pass traffic through firewalls and Web proxies that might block
PPTP and L2TP/IPsec traffic.

QUESTION 182
Your network contains two Active Directory domains named contoso.com and adatum.com. The
network contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the
DNS Server server role installed. Server1 has a copy of the contoso.com DNS zone.
You need to configure Server1 to resolve names in the adatum.com domain.
The solution must meet the following requirements:

- Prevent the need to change the configuration of the current name


servers that host zones for adatum.com.
- Minimize Administrative effort.

Which type of zone should you create?

A. Primary
B. Secondary
C. Reverse lookup
D. Stub

Answer: D
Explanation:
A. When a zone that this DNS server hosts is a primary zone, the DNS server is the primary
source for information about this zone, and it stores the master copy of zone data in a local file or
in AD DS.
B. When a zone that this DNS server hosts is a secondary zone, this DNS server is a secondary
source for information about this zone. The zone at this server must be obtained from another
remote DNS server computer that also hosts the zone
C. clients use a known IP address and look up a computer name based on its address.
A reverse lookup takes the form of a question, such as "Can you tell me the DNS name of the
computer that uses the IP address 192.168.1.20?"
D. When a zone that this DNS server hosts is a stub zone, this DNS server is a source only for
information about the authoritative name servers for this zone. The zone at this server must be
obtained from another DNS server that hosts the zone.
- Prevents Change to current zone
http://technet.microsoft.com/en-us/library/cc771898.aspx
http://technet.microsoft.com/en-us/library/cc730980.aspx

QUESTION 183
Your network contains two servers named Server1 and Server2. Both servers run Windows
Server 2012 R2 and have the DNS Server server role installed.
On Server1, you create a standard primary zone named contoso.com.
You need to ensure that Server2 can host a secondary zone for contoso.com.
What should you do from Server1?

A. Add Server2 as a name server.


B. Convert contoso.com to an Active Directory-integrated zone.
C. Create a zone delegation that points to Server2.
D. Create a trust anchor named Server2.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 174
http://www.braindump2go.com
Answer: A
Explanation:
A. You must add a new Name Server. To add a name server to the list of authoritative servers for
the zone, you must specify both the server's IP address and its DNS name. When entering
names, click Resolve to resolve the name to its IP address prior to adding it to the list.
B. Instead of adding standard secondary DNS servers, you can convert the server from a primary
DNS server to an Active Directory Integrated Primary server and configure another domain
controller to be a DNS server
C. You can divide your Domain Name System (DNS) namespace into one or more zones.
You can delegate management of part of your namespace to another location or department in
your organization by delegating the management of the corresponding zone.
http://technet.microsoft.com/en-us/library/cc770984.aspx
http://support.microsoft.com/kb/816101
http://technet.microsoft.com/en-us/library/cc753500.aspx
http://technet.microsoft.com/en-us/library/cc771640(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/ee649280(v=ws.10).aspx

QUESTION 184
You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the Remote
Access server role installed. On Server1, you create a network policy named Policy1.
You need to configure Policy1 to apply only to VPN connections that use the L2TP protocol.
What should you configure in Policy1?

A. The Tunnel Type


B. The Service Type
C. The NAS Port Type
D. The Framed Protocol

Answer: A
Explanation:
A. Restricts the policy to only clients that create a specific type of tunnel, such as PPTP or L2TP.
B. Restricts the policy to only clients specifying a certain type of service, such as Telnet or Point
to Point Protocol connections.
C. Allows you to specify the type of media used by the client computer to connect to the network.
D. Restricts the policy to clients that specify a certain framing protocol for incoming packets, such
as PPP or SLIP.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 175
http://www.braindump2go.com
http://technet.microsoft.com/en-us/library/cc731220(v=ws.10).aspx

QUESTION 185
Your network contains an Active Directory domain named contoso.com. The domain contains a
domain controller named DC1 that runs Windows Server 2012 R2. All client computers run
Windows 8 Enterprise. DC1 contains a Group Policy object (GPO) named GPO1.
You need to deploy a VPN connection to all users.
What should you configure from User Configuration in GPO1?

A. Preferences/Control Panel Settings/Network Options


B. Policies/Administrative Templates/Windows Components/Windows Mobility Center
C. Policies/Administrative Templates/Network/Windows Connect Now
D. Policies/Administrative Templates/Network/Network Connections

Answer: A
Explanation:
The Network Options extension allows you to centrally create, modify, and delete dial-up
networking and virtual private network (VPN) connections.
Before you create a network option preference item, you should review the behavior of each type
of action possible with the extension.
http://technet.microsoft.com/en-us/library/cc772449.aspx

QUESTION 186
Your network contains an Active Directory domain named contoso.com. All servers run Windows
Server 2012 R2. All sales users have laptop computers that run Windows 8. The sales computers
are joined to the domain. All user accounts for the sales department are in an organizational unit
(OU) named Sales_OU. A Group Policy object (GPO) named GPO1 is linked to Sales_OU.
You need to configure a dial-up connection for all of the sales users.
What should you configure from User Configuration in GPO1?

A. Policies/Administrative Templates/Network/Windows Connect Now


B. Policies/Administrative Templates/Windows Components/Windows Mobility Center
C. Preferences/Control Panel Settings/Network Options
D. Policies/Administrative Templates/Network/Network Connections

Answer: C
Explanation:
The Network Options extension allows you to centrally create, modify, and delete dial-up
networking and virtual private network (VPN) connections. Before you create a network option
preference item, you should review the behavior of each type of action possible with the
extension.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 176
http://www.braindump2go.com
To create a new Dial-Up Connection preference item
Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that
should contain the new preference item, and then click Edit. In the console tree under Computer
Configuration or User Configuration, expand the Preferences folder, and then expand the Control
Panel Settings folder. Right-click the Network Options node, point to New, and select Dial-Up
Connection.
References:
http://technet.microsoft.com/en-us/library/cc772107.aspx
http://technet.microsoft.com/en-us/library/cc772107.aspx
http://technet.microsoft.com/en-us/library/cc772449.aspx

QUESTION 187
You have a server named Server1 that runs Windows Server 2012 R2.
Server1 has 2 dual-core processors and 16 GB of RAM.
You install the Hyper-V server role in Server1.
You plan to create two virtual machines on Server1.
You need to ensure that both virtual machines can use up to 8 GB of memory.
The solution must ensure that both virtual machines can be started simultaneously.
What should you configure on each virtual machine?

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 177
http://www.braindump2go.com
A. Dynamic Memory
B. NUMA topology
C. Memory weight
D. Ressource Control

Answer: A
Explanation:

Dynamic Memory for Virtual Machines was introduced in Hyper-V in Windows Server 2008 R2
Service Pack 1 (SP1). The feature makes it possible to allocate a minimum and maximum value
for the memory of a virtual machine instead of a fixed value. The VM starts with the minimal
allocated memory and extended if necessary.
In this way, you can assign the virtual machines more memory than actually being physically
available. Through dynamic memory prevents a VM blocks unused memory that may be needed
urgently by another VM.

QUESTION 188

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 178
http://www.braindump2go.com
Your network contains an Active Directory domain named corp.contoso.com. The domain
contains a domain controller named DC1. When you run ping dcl.corp.contoso.com, you receive
the result as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that DC1 can respond to the Ping command.
Which rule should you modify? To answer, select the appropriate rule in the answer area.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 179
http://www.braindump2go.com
QUESTION 189
You have a server named Server1 that runs Windows Server 2012 R2.
You promote Server1 to domain controller.
You need to view the service location (SVR) records that Server1 registers on DNS.
What should you do on Server1?

A. Open the Srv.sys file


B. Open the Netlogon.dns file
C. Run ipconfig/displaydns
D. Run Get-DnsServerDiagnostics

Answer: B
Explanation:

in DNS service location records (SRV resource records) are created for each domain controller,
enabling the client to locate the domain controller.
The messages can be viewed directly in the DNS Manager. Site-specific and general entries are
created for each domain controller. You can find the site-specific items in the following path:
Forward Lookup Zones / _msdcs. Domain Name / dc / _sites / site name / _tcp SRV records are
created for the following two services:

_kerberos
_ldap

Alternatively, you can view using a text editor the file netlogon.dns. The file netlogon.dns see the
path% systemroot% \ System32 \ Config. The figure shows the entries in the file netlogon.dns for
a domain with a site and a domain controller:

QUESTION 190
Your company has a remote office that contains 600 client computers on a single subnet.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 180
http://www.braindump2go.com
You need to select a subnet mask for the network that will support all of the client computers.
The solution must minimize the number of unused addresses.
Which subnet mask should you select?

A. 255.255.252.0
B. 255.255.254.0
C. 255.255.255.0
D. 255.255.255.128

Answer: A
Explanation:
The subnet mask 255.255.252.0 allows 10 bits for host addressing 2 ^ 10-2 = 1022 addresses,
making it the closest to the required 600 IP addresses.
The remaining three subnets each comprise less than 600 addresses.
Incorrect Answers:
B: The subnet 255.255.254.0 provides 2 ^ 9-2 = 510 too few IP addresses.
C: The subnet 255.255.255.0 has only 254 addresses for the client addressing.
D: The subnet 255.255.255.128 is 7 bits available for the host part of the IP addresses and offers
2 ^ 7-2 = 126 IP addresses.

QUESTION 191
Your network contains an Active Directory domain named contoso.com.
The domain contains a server named Server1. Server1 runs Windows Server 2012 R2.
You create a group Managed Service Account named gservice1.
You need to configure a service named Service1 to run as the gservice1 account.
How should you configure Service1?

A. From Windows PowerShell, run Set-Service and specify the -PassThrough parameter.
B. From a command prompt, run sc.exe and specify the config parameter.
C. From Windows PowerShell, run Set-Service and specify the -StartupType parameter.
D. From a command prompt, run sc.exe and specify the privs parameter.

Answer: B
Explanation:
A. General settings only allow you to stop, start and set type/paramaters
B. Set-Service provides a way for you to change the Description, StartupType, or DisplayName of
a service
C. Modifies service configuration
D. Sets the response/action on service failure
http://windows.microsoft.com/en-us/windows-vista/using-system-configuration
http://technet.microsoft.com/en-us/library/ee176963.aspx
http://technet.microsoft.com/en-us/library/cc990290(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc738230(v=ws.10).aspx

QUESTION 192
Hotspot Question
Your network contains an Active Directory domain named contoso.com. All client computers are
configured as DHCP clients.
You link a Group Policy object (GPO) named GPO1 to an organizational unit (OU) that contains
all of the client computer accounts.
You need to ensure that Network Access Protection (NAP) compliance is evaluated on all of the
client computers.
Which two settings should you configure in GPO1?

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 181
http://www.braindump2go.com
To answer, select the appropriate two settings in the answer area.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 182
http://www.braindump2go.com
QUESTION 193
Your network contains an Active Directory domain named contoso.com. All client computers run
Windows Vista Service Pack 2 (SP2). All client computers are in an organizational unit (OU)
named OU1. All user accounts are in an OU named OU2. All users log on to their client computer
by using standard user accounts. A Group Policy object (GPO) named GPO1 is linked to OU1.
A GPO named GPO2 is linked to OU2.
You need to apply advanced audit policy settings to all of the client computers.
What should you do?

A. In GPO1, configure a startup script that runs auditpol.exe.


B. In GPO2, configure a logon script that runs auditpol.exe.
C. In GPO1, configure the Advanced Audit Policy Configuration settings.
D. In GPO2, configure the Advanced Audit Policy Configuration settings.

Answer: A
Explanation:
All versions of Windows Server 2008 R2 and Windows 7 that can process Group Policy,
(Advanced Audit Policy Configuration) can be configured to use the new security monitoring
extensions. Versions of Windows Server 2008 R2 and Windows 7 that can not join a domain, do
not have access to these features. Between 32-bit and 64-bit versions of Windows 7 there is no
difference in supporting security monitoring. In addition, some special considerations with regard
to various tasks are required, are known to be associated with the monitoring enhancements in
Windows Server 2008 R2 and Windows 7 :
Create an audit policy.
To create an advanced Windows security auditing policy must be used 7 a computer running
Windows Server 2008 R2 or Windows. You can use the Group Policy Management Console on a
computer running Windows 7 after the Remote Server Administration Tools installed.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 183
http://www.braindump2go.com
Apply auditing policy settings.
If you use Group Policy to apply the advanced audit policy settings and global object access
settings must be running on client computers Windows Server 2008 R2 or Windows 7. Moreover,
only computers running Windows Server 2008 R2 or Windows 7, providing reporting data with
information on basic access.
Developing an audit policy model.
To plan advanced security audit settings and global object access settings, you must use the
Group Policy Management Console, which is aligned to a domain controller that is running
Windows Server 2008 R2.
Distributing the audit policy.
After developing a GPO that includes advanced security auditing settings, it can be distributed by
domain controllers running any Windows server operating system is running using. However, if
you can not place any client computer that is running Windows 7, in a separate organizational
unit (OU), use the Windows Management Instrumentation filtering to ensure that the advanced
policy settings are only for client computers that are running Windows 7, taken ,Advanced audit
policy settings may also be acquired for client computers running Windows Vista. However, the
audit policies for these client computers must be separately created and acquired by using the
logon script of type "Auditpol.exe".
The combined use of the basic audit policy settings under Local Policies \ Audit Policy and the
advanced settings under Configuration of the extended audit policy may have unexpected results.
Therefore, two sets of audit policy settings should not be combined. If you are using the
advanced configuration settings for the monitoring policy, select the policy setting monitoring:
Subcategory the audit policy setting force (Windows Vista or later) to set Settings category
in the audit policy repealed under Local Policies \ Security Options. This conflicts between
similar settings can be prevented by the basic safeguards will be ignored.

QUESTION 194
You have a server that runs Windows Server 2012 R2.
You have an offline image named Windows2012.vhd that contains an installation of Windows
Server 2012 R2.
You plan to apply several updates to Windows2012.vhd.
You need to mount Windows2012.vhd to H:\.
Which tool should you use?

A. Device Manager
B. Diskpart
C. Mountvol
D. Server Manager

Answer: B
Explanation:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 184
http://www.braindump2go.com
http://technet.microsoft.com/en-us/library/cc753321.aspx
You can use the Deployment Image Servicing and Management (DISM) tool to mount a Windows
image from a WIM or VHD file. Mounting an image maps the contents of the image to a directory
so that you can service the image using DISM without booting into the image. You can also
perform common file operations, such as copying, pasting, and editing on a mounted image.
To apply packages and updates to a Windows Embedded Standard 7 image, we recommend
creating a configuration set and then using Deployment Imaging Servicing and Management
(DISM) to install that configuration set. Although DISM can be used to install individual updates to
an image, this method carries some additional risks and is not recommended.

QUESTION 195
Your network contains two Active Directory domains named contoso.com and adatum.com. The
contoso.com domain contains a server named Server1.contoso.com. The adatum.com domain
contains a server named server2.adatum.com. Server1 and Server2 run Windows Server 2012
R2 and have the DirectAccess and VPN (RRAS) role service installed. Server1 has the default
network policies and the default connection request policies.
You need to configure Server1 to perform authentication and authorization of VPN connection
requests to Server2.
Only users who are members of Adatum\Group1 must be allowed to connect.
Which two actions should you perform on Server1?

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 185
http://www.braindump2go.com
(Each correct answer presents part of the solution. Choose two.)

A. Network policies
B. Connection request policies
C. Create a network policy.
D. Create a connection request policy.

Answer: AD
Explanation:
* Connection request policies are sets of conditions and settings that allow network administrators
to designate which Remote Authentication Dial-In User Service (RADIUS) servers perform the
authentication and authorization of connection requests that the server running Network Policy
Server (NPS) receives from RADIUS clients. Connection request policies can be configured to
designate which RADIUS servers are used for RADIUS accounting.
* With connection request policies, you can use NPS as a RADIUS server or as a RADIUS proxy,
based on factors such as the following:
The time of day and day of the week
The realm name in the connection request
The type of connection being requested
The IP address of the RADIUS client

QUESTION 196
Your network contains an Active Directory forest named contoso.com.
All servers run Windows Server 2012 R2.
You need to create a custom Active Directory Application partition.
Which tool should you use?

A. Netdom
B. Ntdsutil
C. Dsmod
D. Dsamain

Answer: B
Explanation:
* To create or delete an application directory partition Open Command Prompt.
Type:ntdsutil
At the ntdsutil command prompt, type:domain management
At the domain management command prompt, type:connection At the server connections
command prompt, type:connect to server ServerName At the server connections command
prompt, type:quit
At the domain management command prompt, do one of the following:
* partition management
Manages directory partitions for Active Directory Domain Services (AD DS) or Active Directory
Lightweight Directory Services (AD LDS).
This is a subcommand of Ntdsutil and Dsmgmt. Ntdsutil and Dsmgmt are command-line tools that
are built into Windows Server 2008 and Windows Server 2008 R2.
/ partition management create nc %s1 %s2
Creates the application directory partition with distinguished name %s1, on the Active Directory
domain controller or AD LDS instance with full DNS name %s2. If you specify "NULL" for %s2,
this command uses the currently connected Active Directory domain controller. Use this
command only with AD DS. For AD LDS, use create nc %s1 %s2 %s3.
Note:
* An application directory partition is a directory partition that is replicated only to specific domain
controllers. A domain controller that participates in the replication of a particular application

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 186
http://www.braindump2go.com
directory partition hosts a replica of that partition.

QUESTION 197
Your network contains an Active Directory domain named contoso.com. All servers run Windows
Server 2012 R2. The functional level of both the domain and the forest is Windows Server 2008
R2. The domain contains a domain-based Distributed File System (DFS) namespace that is
configured as shown in the exhibit. (Click the Exhibit button.)

You need to enable access-based enumeration on the DFS namespace. What should you do
first?

A. Install the File Server Resource Manager role service on Server3 and Server5.
B. Raise the domain functional level.
C. Delete and recreate the namespace.
D. Raise the forest functional level.

Answer: C
Explanation:
Access-based enumeration is only supported on a Domain-based Namespace in Windows Server
2008 Mode. This type of Namespace requires a minimum Windows Server 2003 forest functional
level and a minimum Windows Server 2008 domain functional level.
The exhibit indicates that the current namespace is a Domain-based Namespace in Windows
Server 2000 Mode. To migrate a domain-based namespace from Windows 2000 Server mode to
Windows Server 2008 mode, you must export the namespace to a file, delete the namespace,
recreate it in Windows Server 2008 mode, and then import the namespace settings.
http://msdn.microsoft.com/en-us/library/cc770287.aspx
http://msdn.microsoft.com/en-us/library/cc753875.aspx

QUESTION 198
Your network contains an Active Directory domain named contoso.com. All domain controllers
run Windows Server 2012 R2.
The domain contains two organizational units (OUs) named OU1 and OU2 in the root of the
domain.
Two Group Policy objects (GPOs) named GPO1 and GPO2 are created. GPO1 is linked to OU1.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 187
http://www.braindump2go.com
GPO2 is linked to OU2.
OU1 contains a client computer named Computer1. OU2 contains a user named User1.
You need to ensure that the GPOs applied to Computer1 are applied to User1 when User1 logs
on.
What should you configure?

A. The GPO Status


B. GPO links
C. The Enforced setting
D. Security Filtering

Answer: D
Explanation:
* GPOs cannot be linked directly to users, computers, or security groups. They can only be linked
to sites, domains and organizational units. However, by using security filtering, you can narrow
the scope of a GPO so that it applies only to a single group, user, or computer.
* Security filtering is a way of refining which users and computers will receive and apply the
settings in a Group Policy object (GPO). Using security filtering, you can specify that only certain
security principals within a container where the GPO is linked apply the GPO. Security group
filtering determines whether the GPO as a whole applies to groups, users, or computers; it cannot
be used selectively on different settings within a GPO.
Reference: Security filtering using GPMC

QUESTION 199
Your network contains an Active Directory domain named contoso.com. All domain controllers
run Windows Server 2012 R2. An organizational unit (OU) named OU1 contains 200 client
computers that run Windows 8 Enterprise. A Group Policy object (GPO) named GPO1 is linked to
OU1.
You make a change to GPO1.
You need to force all of the computers in OU1 to refresh their Group Policy settings immediately.
The solution must minimize administrative effort.
Which tool should you use?

A. The Secedit command


B. Server Manager
C. Group Policy Object Editor
D. The Invoke-GpUpdate cmdlet

Answer: D
Explanation:
Invoke-GPUpdate
Schedule a remote Group Policy refresh (gpupdate) on the specified computer.
Applies To: Windows Server 2012 R2
The Invoke-GPUpdate cmdlet refreshes Group Policy settings, including security settings that are
set on remote computers by scheduling the running of the Gpupdate command on a remote
computer.
You can combine this cmdlet in a scripted fashion to schedule the Gpupdate command on a
group of computers.
The refresh can be scheduled to immediately start a refresh of policy settings or wait for a
specified period of time, up to a maximum of 31 days.
To avoid putting a load on the network, the refresh times will be offset by a random delay.
Note:
Group Policy is a complicated infrastructure that enables you to apply policy settings to remotely
configure a computer and user experience within a domain. When the Resultant Set of Policy

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 188
http://www.braindump2go.com
settings does not conform to your expectations, a best practice is to first verify that the computer
or user has received the latest policy settings. In previous versions of Windows, this was
accomplished by having the user run GPUpdate.exe on their computer. With Windows Server
2012 R2 and Windows 8, you can remotely refresh Group Policy settings for all computers in an
organizational unit (OU) from one central location by using the Group Policy Management
Console (GPMC). Or you can use the Invoke-GPUpdate Windows PowerShell cmdlet to refresh
Group Policy for a set of computers, including computers that are not within the OU structure--for
example, if the computers are located in the default computers container. The remote Group
Policy refresh updates all Group Policy settings, including security settings that are set on a group
of remote computers, by using the functionality that is added to the context menu for an OU in the
Group Policy Management Console (GPMC). When you select an OU to remotely refresh the
Group Policy settings on all the computers in that OU, the following operations happen:
An Active Directory query returns a list of all computers that belong to that OU.
For each computer that belongs to the selected OU, a WMI call retrieves the list of signed in
users.
A remote scheduled task is created to run GPUpdate.exe /force for each signed in user and once
for the computer Group Policy refresh. The task is scheduled to run with a random delay of up to
10 minutes to decrease the load on the network traffic. This random delay cannot be configured
when you use the GPMC, but you can configure the random delay for the scheduled task or set
the scheduled task to run immediately when you use the Invoke-GPUpdate cmdlet.

QUESTION 200
Your network contains a Hyper-V host named Server1 that hosts 20 virtual machines.
You need to view the amount of memory resources and processor resources each virtual
machine uses currently.
Which tool should you use on Server1?

A. Windows System Resource Manager (WSRM)


B. Task Manager
C. Resource Monitor
D. Hyper-V Manager

Answer: D
Explanation:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 189
http://www.braindump2go.com
Hyper-V Performance Monitoring Tool
Know which resource is consuming more CPU. Find out if CPUs are running at full capacity or if
they are being underutilized. Metrics tracked include Total CPU utilization, Guest CPU utilization,
Hypervisor CPU utilization, idle CPU utilization, etc. WSRM is deprecated starting with Windows
Server 2012

QUESTION 201
Hotspot Question
Your network contains an Active Directory forest named contoso.com. The forest contains a
single domain. The contoso.com zone is Active Directory-integrated and configured to replicate to
all of the domain controllers in the contoso.com domain. Server1 has a DNS record in the
contoso.com zone.
You need to verify when the DNS record for Server1 was last updated.
In which Active Directory partition should you view the DNS record of Server1?
To answer, select the appropriate Active Directory partition in the answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 190
http://www.braindump2go.com
Answer:

Explanation:
From the task text shows that the zone data is replicated to all domain controllers in the domain
contoso.com. This corresponds to the replication scope for Windows 2000 compatibility.
The partitions DomainDNSZones and ForestDNSZones were only introduced with Windows
Server 2003. On Windows 2000 Server DNS zone data stored in the domain partition and
replicated to all domain controllers (not only domain controllers with the DNS server role).

QUESTION 202
Your network contains an Active Directory domain named contoso.com. The domain contains two
member servers named Server1 and Server2. All servers run Windows Server 2012 R2. Server1
has the Windows Server Update Services (WSUS) server role installed. WSUS is configured to
use a Windows Internal Database. Server2 has Microsoft SQL Server 2008 R2 Standard
deployed.
You detach the SUSDB database from Server1 and attach the database to Server2.
You need to ensure that Windows Deployment Services (WDS) on Server1 uses the database
hosted on Server2.
What should you do on Server1?

A. Configure an ODBC file data source.


B. Run the wsusutil command.
C. Edit the registry.
D. Configure an ODBC system data source.

Answer: C
Explanation:
Find the following key:
HKLM\SOFTWARE\Microsoft\UpdateServices\Server\Setup\SqlServerName. In the Value data
box, type [BEName]\[InstanceName], and then click OK. If the instance name is the default
instance, type [BEName].

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 191
http://www.braindump2go.com
Find the following key: HKLM\Software\Microsoft\Update Services\Server\Setup\wYukonInstalled.
In the Value box, type 0, and then click OK. http://technet.microsoft.com/en-
us/library/cc708558(WS.10).aspx

QUESTION 203
Your network contains an Active Directory forest named contoso.com. The functional level of the
forest is Windows Server 2008 R2. All of the user accounts in the marketing department are
members of a group named Contoso\MarketingUsers. All of the computer accounts in the
marketing department are members of a group named Contoso\MarketingComputers.
A domain user named User1 is a member of the Contoso\MarketingUsers group.
A computer named Computer1 is a member of the Contoso\MarketingComputers group.
You have five Password Settings objects (PSOs).
The PSOs are defined as shown in the following table.

When User1 logs on to Computer1 and attempts to change her password, she receives an error
message indicating that her password is too short.
You need to tell User1 what her minimum password length is.
What should you tell User1?

A. 10
B. 11
C. 12
D. 14

Answer: A
Explanation:
Let’s take the G_ITAdmins group and apply two PSOs, one with precedence of 10 and one with
precedence of 5.
The PSO with precedence of 5 will win, because a lower precedence value is a higher
precedence.
This makes sense if you are just using groups and apply the PSO to the group level.
But what happens if you apply a PSO to the group G_ITAdmins (Sally Smith is still a member)
and you apply a PSO directly to Sally Smith?
Let’s take the G_ITAdmins group again, where Sally Smith is a member, and apply a PSO with a
precedence of 10.
Create another PSO with a precedence of 15 and apply this PSO directly to the user Sally Smith.
The PSO directly applied to Sally will win, although the precedence value is higher.
The way that the PSO applied is determined is as follows:
A PSO that is linked directly to the user object is the resultant PSO. If no PSO is linked to the
user object, the global security group memberships of the user - and all PSOs that are applicable

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 192
http://www.braindump2go.com
to the user based on those global group memberships—are compared. The PSO with the lowest
precedence value is the resultant PSO.
https://technet.microsoft.com/en-us/library/cc770394%28v=ws.10%29.aspx

QUESTION 204
Your network contains an Active Directory domain named contoso.com.
The domain contains a server named Server1 that runs Windows Server 2012 R2.
Server1 has the Remote Access server role installed.
You log on to Server1 by using a user account named User2.
From the Remote Access Management Console, you run the Getting Started Wizard and you
receive a warning message as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that you can configure DirectAccess successfully.


The solution must minimize the number of permissions assigned to User2.
To which group should you add User2?

A. Enterprise Admins
B. Administrators
C. Server Operators
D. Account Operators

Answer: B

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 193
http://www.braindump2go.com
Explanation:
You must have privileges to create WMI filters in the domain in which you want to create the filter.
Permissions can be changed by adding a user to the Administrators group.
Administrators (A built-in group)
After the initial installation of the operating system, the only member of the group is the
Administrator account. When a computer joins a domain, the Domain Admins group is added to
the Administrators group. When a server becomes a domain controller, the Enterprise Admins
group also is added to the Administrators group. The Administrators group has built-in capabilities
that give its members full control over the system.
The group is the default owner of any object that is created by a member of the group.
This example logs in as a test user who is not a domain user or an administrator on the server.
This results in the error specifying that DA can only be configured by a user with local
administrator permissions.
http://technet.microsoft.com/en-us/library/cc780416(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc775497(v=ws.10).aspx

QUESTION 205
Your company has a main office and a branch office. The network contains an Active Directory
domain named contoso.com. The main office contains a domain controller named DC1 that runs
Windows Server 2012 R2. DC1 is a DNS server and hosts a primary zone for contoso.com.
The branch office contains a member server named Server1 that runs Windows Server 2012 R2.
Server1 is a DNS server and hosts a secondary zone for contoso.com. The main office connects
to the branch office by using an unreliable WAN link.
You need to ensure that Server1 can resolve names in contoso.com if the WAN link in
unavailable for three days.
Which setting should you modify in the start of authority (SOA) record?

A. Retry interval
B. Minimum (default) TTL
C. Refresh interval
D. Expires after

Answer: D
Explanation:
Refresh interval. Used to determine how often other DNS servers that load and host the zone
must attempt to renew the zone.
Retry interval. Used to determine how often other DNS servers that load and host the zone are to
retry a request for update of the zone each time that the refresh interval occurs. Expire interval.
Used by other DNS servers that are configured to load and host the zone to determine when
zone data expires if it is not renewed.

QUESTION 206
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs Windows Server 2012 R2. Server1 has the Network Policy and
Access Services server role installed.
You plan to deploy 802.1x authentication to secure the wireless network.
You need to identify which Network Policy Server (NPS) authentication method supports
certificate-based mutual authentication for the 802.lx deployment.
Which authentication method should you identify?

A. PEAP-MS-CHAP v2
B. MS-CHAP v2
C. EAP-TLS

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 194
http://www.braindump2go.com
D. MS-CHAP

Answer: C
Explanation:
802. 1X uses EAP, EAP-TLS, EAP-MS-CHAP v2, and PEAP authentication methods:
EAP (Extensible Authentication Protocol) uses an arbitrary authentication method, such as
certificates, smart cards, or credentials.
EAP-TLS (EAP-Transport Layer Security) is an EAP type that is used in certificatebased security
environments, and it provides the strongest authentication and key determination method.
EAP-MS-CHAP v2 (EAP-Microsoft Challenge Handshake Authentication Protocol version 2) is a
mutual authentication method that supports password-based user or computer authentication.
PEAP (Protected EAP) is an authentication method that uses TLS to enhance the security of
other EAP authentication protocols.

QUESTION 207
Your network contains an Active Directory domain named contoso.com. AH servers run Windows
Server 2012 R2. The domain contains a server named Server1.
You install the Windows PowerShell Web Access gateway on Server1.
You need to provide administrators with the ability to manage the servers in the domain by using
the Windows PowerShell Web Access gateway.
Which two cmdlets should you run on Server1?
(Each correct answer presents part of the solution. Choose two.)

A. Set-WSManQuickConfig
B. Set-WSManInstance
C. Add-PswaAuthorizationRule
D. Set-BCAuthentication
E. Install-Pswa Web Application

Answer: CE
Explanation:
Windows PowerShell Web Access is a new feature in Windows Server 2012 that acts as a
Windows PowerShell Gateway and the web-based Windows PowerShell console is provided,
which is aligned on a remote computer. In order to run IT specialists Windows PowerShell
commands and scripts on a Windows PowerShell console in a Web browser without having
Windows PowerShell, remote management software or browser plug-ins must be installed on the
client device. To run the web-based Windows PowerShell console a properly configured Windows
PowerShell Web Access gateway and a browser on the client device is only necessary that
supports JavaScript and cookies accepted.

Examples of client devices include laptops, privately used personal computers, borrowed
computers, tablet PCs, Webkiosks, computers that are not Windows-based operating system is
running, and browsers on cell phones. IT professionals can use devices that have access to an
internet connection and a web browser perform key administrative tasks on Windows-based
remote servers. After the successful setup and configuration of the gateway, users can access
PowerShell console with a Web browser on a Windows.

After searching the protected Windows PowerShell Web Access site open, you can run a web-
based Windows PowerShell console after successful authentication. The setup and configuration
of Windows PowerShell Web Access involves three steps:

Step 1: Install Windows PowerShell Web Access


Step 2: Configuring the Gateway
Step 3: Configuring authorization rules and site security

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 195
http://www.braindump2go.com
QUESTION 208
Drag and Drop Question
Your network contains an Active Directory domain named contoso.com.
All domain controllers run Windows Server 2012 R2.
The domain contains an organizational unit (OU) named OU1.
OU1 contains an OU named OU2. OU2 contains a user named User1.
User1 is the member of a group named Group1.
Group1 is in the Users container.
You create five Group Policy objects (GPO).
The GPOs are configured as shown in the following table.

You need to identify which three GPOs will be applied to User1 and in which order the GPOs will
be applied to User1.
Which three GPOs should you identify in sequence?
To answer, move the appropriate three GPOs from the list of GPOs to the answer area and
arrange them in the correct order.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 196
http://www.braindump2go.com
Explanation:
Basically determines the order in which the GPOs are applied by Group Policy, the ranking. The
default order is local, site, domain, organizational unit and subordinate organizational units (OU
LSD). Therefore GPOs have in child OUs overrides associated with parent OUs GPOs.

This in turn take precedence over the domain linked GPOs, which take precedence over the site
linked GPOs. Direction for use, or LSD-OU (LSDOU)

1. Local Policy
2. GPOs that are linked to the site
3. GPOs that are linked to the domain
4. GPOs that are linked to organizational units (from the parent OU to subordinate)

The Standardreiehnfolge processing can be set by forcing a Group Policy object or by disabling
the inheritance of a GPO repealed. Enforced When a GPO enforced it will put at the end of the
processing sequence. If more than one GPO to "forced" option is enabled, the GPOs are applied
in reverse default order (L-OU-DS).

In this way ensures that the settings of Domain Admins will not be overwritten by forcing the
settings of a Delegated Administrator at a subordinate level. If several enforced GPO objects
linked on the same level as, shall be the highest priority by (the sorted upwards). Inheritance
disable The above the OU linked GPOs are not inherited or blocked.

Is activated by a higher-level object "forced", so the inheritance can not be prevented. Thus, the
Domain Administrator can always prevail with its settings. For taking over the settings of a GPO a
Sicherheitrsprinzipal required permissions Read and Apply Group Policy. If the security principal
denied these rights, the GPO does not apply.

QUESTION 209
Hotspot Question
You have a server named Server1 that runs Windows Server 2012 R2. Server1 has two network
adapters and is located in a perimeter network.
You need to install the RIP version 2 routing protocol on Server1.
Which node should you use to add the RIP version 2 routing protocol?
To answer, select the appropriate node in the answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 197
http://www.braindump2go.com
Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 198
http://www.braindump2go.com
QUESTION 210
Hotspot Question
Your network contains an Active Directory domain named contoso.com. All DNS servers host a
DNS zone named adatum.com. The adatum.com zone is not Active Directory-integrated. An
administrator modifies the start of authority (SOA) record for the adatum.com zone. After the
modification, you discover that when you add or modify DNS records in the adatum.com zone,
the changes are not transferred to the DNS servers that host secondary copies of the
adatum.com zone.
You need to ensure that the records are transferred to all the copies of the adatum.com zone.
What should you modify in the SOA record for the adatum.com zone?
To answer, select the appropriate setting in the answer area.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 199
http://www.braindump2go.com
Explanation:
By increasing the serial number is initiated for an immediate transfer of zone data to all secondary
servers. The SOA resource record contains the following information:

Serial number The revision number of the zone file. If changes the number is increased. By
increasing the serial number change to any secondary DNS servers are distributed.

Primary Server - The host on which the file was created.

Responsible Person - The E-mail address of the person responsible for managing the zone file
of the domain. Note that in the e-mail name instead of the symbol "@" a "." is used.

Update time - The time waiting for a secondary DNS server before querying the SOA record of
the primary DNS server for changes. If the update time expires, the secondary DNS server from
the primary server requests a copy of the current SOA record. The primary DNS server complies
with this request. The secondary DNS server compares the serial number of the current SOA
record of the primary DNS server with the serial number in its own SOA record. If these numbers
do not match, calls the secondary DNS server of the primary DNS server to a zone transfer. The
default value is 3,600.

Repetition Time - The time waiting for a secondary server, before retrying a failed zone transfer
is repeated. Usually, the repetition time is shorter than the update time. The default value is 600th

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 200
http://www.braindump2go.com
Elapsed time - The time in which a secondary server continues to try to perform a zone transfer.
When this time expires prior to a successful zone transfer, the secondary server verrwirft its zone
file. This has the result that the secondary server stops responding to queries when it considers
its data too old and no longer reliable. The default value is 86,400.

Time to live (TTL) - The minimum value of Live (TTL) value applies to all resource records of the
zone file. This value is contained in the answers to queries to DNS clients to inform about how
long they should keep the data in the cache. The default value is 3,600.

QUESTION 211
Your network contains an Active Directory domain named contoso. com.
All domain controllers run either Windows Server 2008 or Windows Server 2008 R2.
You deploy a new domain controller named DC1 that runs Windows Server 2012 R2.
You log on to DC1 by using an account that is a member of the Domain Admins group.
You discover that you cannot create Password Settings objects (PSOs) by using Active Directory
Administrative Center.
You need to ensure that you can create PSOs from Active Directory Administrative Center.
What should you do?

A. Modify the membership of the Group Policy Creator Owners group.


B. Transfer the PDC emulator operations master role to DC1.
C. Upgrade all of the domain controllers that run Window Server 2008.
D. Raise the functional level of the domain.

Answer: D
Explanation:
Fine-grained password policies allow you to specify multiple password policies within a single
domain so that you can apply different restrictions for password and account lockout policies to
different sets of users in a domain. To use a fine-grained password policy, your domain functional
level must be at least Windows Server 2008. To enable fine-grained password policies, you first
create a Password Settings Object (PSO).
You then configure the same settings that you configure for the password and account lockout
policies.
You can create and apply PSOs in the Windows Server 2012 environment by using the Active
Directory Administrative Center (ADAC) or Windows PowerShell.
Step 1: Create a PSO
Applies To: Windows Server 2008, Windows Server 2008 R2
http://technet.microsoft.com/en-us//library/cc754461%28v=ws.10%29.aspx

QUESTION 212
Your network contains an Active Directory domain named contoso.com. All domain controllers
run Windows Server 2012 R2. The domain contains 200 Group Policy objects (GPOs) and 100
WMI filters. An administrator named Admin1 must be able to create new WMI filters and edit all of
the existing WMI filters from the Group Policy Management Console (GPMC).
You need to delegate the required permissions to Admin1.
The solution must minimize the number of permissions assigned to Admin1.
What should you do?

A. From Group Policy Management, assign Full control to Admin1 for the WMI Filters container.
B. From Active Directory Users and Computers, add Admin1 to the Domain Admins group.
C. From Group Policy Management, assign Creator Owner to Admin1 for the WMI Filters container.
D. From Active Directory Users and Computers, add Admin1 to the WinRMRemoteWMIUsers__group.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 201
http://www.braindump2go.com
Answer: A
Explanation:
Users with Full control permissions can create and control all WMI filters in the domain,
including WMI filters created by others.
Users with Creator owner permissions can create WMI filters, but can only control WMI filters that
they create.
http://technet.microsoft.com/en-us/library/cc757429(v=ws.10).aspx
Note: Another similar question say “An administrator named Admin1 must be able to add new
WMI filters from the Group Policy Management Console (GPMC).”, then you should choose
“Users with Creator owner permissions”.

QUESTION 213
Hotspot Question
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs Windows Server 2012 R2. Server1 has the Windows Server
Update Services server role installed. All client computers are configured to download updates
from Server1.
You have a Group Policy object (GPO) named GPO1 that is linked to an organizational unit (OU)
named Sales_OU.
You need to ensure that all of the computers in Sales_OU are added to a Windows Server
Update Services (WSUS) computer group named SalesComputers.
Which setting should you configure in the GPO?
To answer, select the appropriate setting in the answer area.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 202
http://www.braindump2go.com
QUESTION 214
Your network contains three Network Policy Server (NPS) servers named NPS1, NPS2, and
NPS3. NPS1 is configured as a RADIUS proxy that forwards connection requests to a remote
RADIUS server group named Group1.
You need to ensure that NPS2 receives connection requests.
NPS3 must only receive connection requests if NPS2 is unavailable.
How should you configure Group1?

A. Change the Weight of NPS2 to 10.


B. Change the Weight of NPS3 to 10.
C. Change the Priority of NPS2 to 10.
D. Change the Priority of NPS3 to 10.

Answer: D
Explanation:
Priority specifies the order of importance of the RADIUS server to the NPS proxy server. Priority
level must be assigned a value that is an integer, such as 1, 2, or 3. The lower the number, the
higher priority the NPS proxy gives to the RADIUS server. For example, if the RADIUS server is
assigned the highest priority of 1, the NPS proxy sends connection requests to the RADIUS
server first; if servers with priority 1 are not available, NPS then sends connection requests to
RADIUS servers with priority 2, and so on. You can assign the same priority to multiple RADIUS
servers, and then use the Weight setting to load balance between them.

QUESTION 215
Hotspot Question
Your network contains an Active Directory domain named contoso.com. The domain contains
three servers named Server2, Server3, and Server4.
Server2 and Server4 host a Distributed File System (DFS) namespace named Namespace1.
You open the DFS Management console as shown in the exhibit. (Click the Exhibit button.)

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 203
http://www.braindump2go.com
To answer, complete each statement according to the information presented in the exhibit.
Each correct selection is worth one point.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 204
http://www.braindump2go.com
Explanation:
In Folder1 is a folder without folder targets. This can be seen on the icon of the folder. For
Folder1 therefore may also be configured not replication. In the shown memberships of the
replication group, it must therefore be the replication of the folder targets of folder2.
The replication of the target folder on Server4 is disabled. Files that are copied to Server2
Server3 or in folder2 are therefore not replicated to Server4.
For the physical directory C: \ folder1 is neither a target nor DFS folder DFS Replication is
configured.

QUESTION 216
Your network contains an Active Directory domain named contoso.com. All domain controllers
run Windows Server 2012 R2.
You plan to use fine-grained password policies to customize the password policy settings of
contoso.com.
You need to identify to which Active Directory object types you can directly apply the fine-grained
password policies.
Which two object types should you identify?
(Each correct answer presents part of the solution. Choose two.)

A. Domain local groups


B. Computers
C. Universal groups
D. Global groups
E. Users

Answer: DE
Explanation:
First off, your domain functional level must be at Windows Server 2008. Second, Fine-grained
password policies ONLY apply to user objects, and global security groups. Linking them to
universal or domain local groups is ineffective. I know what you're thinking, what about OU's?
Nope, Fine-grained password policy cannot be applied to an organizational unit (OU) directly.
The third thing to keep in mind is, by default only members of the Domain Admins group can set
fine-grained password policies. However, you can delegate this ability to other users if needed.
Fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are
used instead of user objects) and global security groups.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 205
http://www.braindump2go.com
You can apply Password Settings objects (PSOs) to users or global security groups:
http://technet.microsoft.com/en-us/library/cc731589%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc731589%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc770848%28v=ws.10%29.aspx
http://www.brandonlawson.com/active-directory/creating-fine-grained-password-policies/

QUESTION 217
Your network contains an Active Directory domain named contoso.com. The domain contains a
domain controller named DC1 that runs Windows Server 2012 R2. All client computers run
Windows 8 Enterprise. DC1 contains a Group Policy object (GPO) named GPO1.
You need to update the PATH variable on all of the client computers.
Which Group Policy preference should you configure?

A. Ini Files
B. Services
C. Environment
D. Data Sources

Answer: C
Explanation:
Environment Variable preference items allow you to create, update, replace, and delete user and
system environment variables or semicolon-delimited segments of the PATH variable. Before you
create an Environment Variable preference item, you should review the behavior of each type of
action possible with this extension.

QUESTION 218
Your network has a router named Router1 that provides access to the Internet.
You have a server named Server1 that runs Windows Server 2012 R2. Server1 to use Router1
as the default gateway. A new router named Router2 is added to the network. Router2 provides
access to the Internet. The IP address of the internal interface on Router2 is 10.1.14.254.
You need to configure Server1 to use Router2 to connect to the Internet if Router1 fails.
What should you do on Server1?

A. Add a route for 10.1.14.0/24 that uses 10.1.14.254 as the gateway and set the metric to 500.
B. Add 10.1.14.254 as a gateway and set the metric to 500.
C. Add a route for 10.1.14.0/24 that uses 10.1.14.254 as the gateway and set the metric to 1.
D. Add 10.1.14.254 as a gateway and set the metric to 1.

Answer: B
Explanation:
To configure the Automatic Metric feature:
1. In Control Panel, double-click Network Connections.
2. Right-click a network interface, and then click Properties.
3. Click Internet Protocol (TCP/IP), and then click Properties.
4. On the General tab, click Advanced.
5. To specify a metric, on the IP Settings tab, click to clear the Automatic metric check box, and
then enter the metric that you want in the Interface Metric field.
To manually add routes for IPv4
Open the Command Prompt window by clicking the Start button Picture of the Start button.
In the search box, type Command Prompt, and then, in the list of results, click Command Prompt.
At the command prompt, type route -p add [destination] [mask <netmask>] [gateway]
[metric <metric>] [if <interface>].

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 206
http://www.braindump2go.com
QUESTION 219
Your network contains and Active Directory domain named contoso.com. The domain contains a
member server named Server1. All servers run Server 2012.
You need to collect the error events from all the servers on Server1. The solution ensure that
when new servers are added to the domain, their error events are collected automatically on
Server1.
Which two actions should you perform?
(Each correct answer presents part of the solution. Choose two.)

A. On Server1, create a source computer initiated subscription.


B. From a Group Policy object (GPO), configure the Configure forwarder resource usage settings.
C. From a Group Policy object (GPO), configure the Configure target Subscription Manager settings
D. On Server1, create a collector initiated subscription.

Answer: AC
Explanation:
A. Source-initiated subscriptions allow you to define a subscription on an event collector
computer without defining the event source computers, and then multiple remote event source
computers can be set up (using a group policy setting) to forward events to the event collector
computer.
C. Enable the SubscriptionManager setting, and click the Show button to add a server address to
the setting.
http://technet.microsoft.com/en-us/library/cc722010.aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/bb870973(v=vs.85).aspx

QUESTION 220
Your network contains an Active Directory domain named contoso.com. All domain controllers
run Windows Server 2012 R2. DirectAccess is deployed to the network. Remote users connect to
the DirectAccess server by using a variety of network speeds. The remote users report that
sometimes their connection is very slow.
You need to minimize Group Policy processing across all wireless wide area network (WWAN)
connections.
Which Group Policy setting should you configure?

A. Configure Group Policy slow link detection.


B. Configure wireless policy processing.
C. Change Group Policy processing to run asynchronously when a slow network connection is detected.
D. Configure Direct Access connections as a fast network connection.

Answer: A
Explanation:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 207
http://www.braindump2go.com
Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 208
http://www.braindump2go.com
Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 209
http://www.braindump2go.com
http://www.rebeladmin.com/tag/slow-link/

QUESTION 221
Hotspot Question
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs Windows Server 2012 R2.
Server1 has the Windows Server Update Services server role installed.
You need to use the Group Policy object (GPO) to assign members to a computer group.
Which setting should you configure in the GPO?
To answer, select the appropriate setting in the answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 210
http://www.braindump2go.com
Answer:

Explanation:
Client-side targeting involves automatically assigning the computers by using either Group Policy
or registry keys. Second, create the computer group in WSUS. Third, move the computers into
groups by using whichever method you chose in the first step.
http://technet.microsoft.com/en-us/library/cc720433(v=ws.10).aspx

QUESTION 222
The contoso.com domain contains a a DNS server named Server1 that host a primary zone.
Server2 contains a a secondary zone for the contoso.com doamin.
You need to configure how long Server2 queries Server1 to renew the zone.
What should you configure?

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 211
http://www.braindump2go.com
A. Retry Interval
B. Minimum TTL
C. Refresh Interval
D. Authority Record

Answer: C
Explanation:
A. The time, in seconds, a secondary server waits before retrying a failed zone transfer. Normally,
this time is less than the refresh interval. The default value is 600 seconds (10 minutes).
B The default Time-To-Live (TTL) of the zone and the maximum interval for caching negative
answers to name queries. The default value is 3,600 seconds (1 hour).
C. The time, in seconds, that a secondary DNS server waits before querying its source for the
zone to attempt renewal of the zone. When the refresh interval expires, the secondary DNS
server requests a copy of the current SOA record for the zone from its source, which answers this
request. The secondary DNS server then compares the serial number of the source server's
current SOA record (as indicated in the response) with the serial number in its own local SOA
record. If they are different, the secondary DNS server requests a zone transfer from the primary
DNS server. The default for this field is 900 seconds (15 minutes).
D.
http://technet.microsoft.com/en-us/library/cc779148(v=ws.10).aspx

QUESTION 223
Hotspot Question
Your network contains an Active Directory domain named contoso.com. The domain contains
three member servers named Server1, Server2, and Server3. All servers run Windows Server
2012 R2 and have the Windows Server Update Services (WSUS) server role installed.
Server1 and Server2 are configured as replica servers that use Server3 as an upstream server.
You remove Server3 from the network.
You need to ensure that WSUS on Server2 retrieves updates from Server1.
The solution must ensure that Server1 and Server2 have the latest updates from Microsoft.
Which command should you run on each server?
To answer, select the appropriate command to run on each server in the answer area.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 212
http://www.braindump2go.com
Explanation:
With the cmdlet Set-WsusServerSynchronization can be determined whether a Windows
Server Update Services (WSUS) server updates from Microsoft Update or an upstream server
synchronized.

The parameter -SyncFromMU indicates that update servers should be synchronized from
Microsoft. The parameter -UssServerName server name indicates that you want to synchronize
from the upstream server specified.

QUESTION 224
Your network contains an Active Directory domain named contoso.com. The domain contains a
domain controller named DC1 that runs Windows Server 2012 R2.
You mount an Active Directory snapshot on DC1.
You need to expose the snapshot as an LDAP server.
Which tool should you use?

A. ADSI Edit
B. Ntdsutil
C. Dsamain
D. Ldp

Answer: C
Explanation:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 213
http://www.braindump2go.com
http://technet.microsoft.com/en-us/library/cc753609(v=ws.10).aspx

QUESTION 225
Your network contains an Active Directory domain named contoso.com.
The domain contains a server named Server1 that runs Windows Server 2012 R2.
Server1 has a drive named E that is encrypted by using BitLocker Drive Encryption (BitLocker).
A recovery key is stored on drive C. Drive E becomes locked.
When you attempt to use the recovery key, you receive the following error message.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 214
http://www.braindump2go.com
You need to access the data stored on drive E.
What should you run first?

A. manage-bde -protectors -get e:


B. manage-bde -unlock e: -recoverykey c:\
C. disable-bitlocker -mountpoint e:
D. unlock-bitlocker -mountpoint e: -recoverykeypath c:

Answer: A
Explanation:
With the call Manage-bde -protectors -get E:
You can use the key protectors (protectors) list of a BitLocker-protected volumes. The ID
numbers of protectors allow you to identify the matching key. With the cmdlet unlock BitLocker
access can be restored to a BitLocker-protected volume. For unlocking of the following key
protection devices can be used:

Active Directory domain account


Password (Password)
Recovery key (RecoveryKey)
Recovery password (Password Recovery)

With Unlock BitLocker and specifying the path of the recovery key would drive E can be
unlocked directly. The question "What command run first?" but suggests that prior to unlocking
more detailed information should be found for encryption.

Note:
manage-bde
can with the parameter unlock as the cmdlet unlock BitLocker be used to unlock a protected
volume. The parameter recoverykey the command-line tool manage-bde but requires the full
specification of the path of a recovery key (eg "C: \ Keys \ recoverykey.bek").

QUESTION 226
Your network contains an Active Directory domain named contoso.com.
All user accounts reside in an organizational unit (OU) named OU1.
You create a Group Policy object (GPO) named GPO1.
You link GPO1 to OU1.
You configure the Group Policy preference of GPO1 to add a shortcut named Link1 to the
desktop of each user.
You discover that when a user deletes Link1, the shortcut is removed permanently from the
desktop.
You need to ensure that if a user deletes Link1, the shortcut is added to the desktop again.
What should you do?

A. Modify the Link1 shortcut preference of GPO1.


B. Enable loopback processing in GPO1.
C. Enforce GPO1.
D. Modify the Security Filtering settings of GPO1.

Answer: A
Explanation:
This type of preference item provides a choice of four actions: Create, Replace, Update, and
Delete. The behavior of the preference item varies with the action selected and whether the
shortcut already exists.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 215
http://www.braindump2go.com
http://technet.microsoft.com/en-us/library/cc753580.aspx
http://technet.microsoft.com/en-us/library/cc753580.aspx

QUESTION 227
Your network contains an Active Directory forest named contoso.com. The forest contains two
sites named Main and Branch. The Main site contains 400 desktop computers and the Branch
site contains 150 desktop computers. All of the desktop computers run Windows 8. In Main, the
network contains a member server named Server1 that runs Windows Server 2012 R2.
You install the Windows Server Update Services server role on Server1.
You need to ensure that Windows updates obtained from Windows Server Update Services
(WSUS) are the same for the computers in each site.
You want to achieve this goal by using the minimum amount of administrative effort.
What should you do?

A. From the Update Services console, create computer groups.


B. From the Update Services console, configure the Computers options.
C. From the Group Policy Management console, configure the Windows Update settings.
D. From the Group Policy Management console, configure the Windows Anytime Upgrade settings.
E. From the Update Services console, configure the Synchronization Schedule options.

Answer: C
Explanation:
In the section Computer Configuration \ Administrative Templates \ Windows Components \
Windows Update a GPO (GPOs) can be configured at a central location all the relevant settings
for the Windows Update configuration of the desktop computer.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 216
http://www.braindump2go.com
QUESTION 228
Your network contains an Active Directory forest named contoso.com. The domain contains three
servers. The servers are configured as shown in the following table.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 217
http://www.braindump2go.com
You plan to implement the BitLocker Drive Encryption (BitLocker) Network Unlock feature.
You need to identify which server role must be deployed to the network to support the planned
implementation.
Which role should you identify?

A. Network Policy and Access Services


B. Volume Activation Services
C. Active Directory Rights Management Services
D. Windows Deployment Services

Answer: D
Explanation:
Windows Deployment Services (WDS) is a server role that enables you to remotely deploy
Windows operating systems. You can use it to set up new computers by using a networkbased
installation. This means that you do not have to install each operating system directly from a CD,
USB drive or DVD. To use Windows Deployment Services, you should have a working knowledge
of common desktop deployment technologies and networking components, including Dynamic
Host Configuration Protocol (DHCP), Domain Name System (DNS), and Active Directory Domain
Services (AD DS). It is also helpful to understand the Preboot eXecution Environment (also
known as Pre-Execution Environment).

QUESTION 229
Drag and Drop Question
Your network contains an Active Directory domain named contoso.com. The domain contains a
domain controller named DC1.
You need to create an Active Directory snapshot on DC1.
Which four commands should you run?
To answer, move the four appropriate commands from the list of commands to the answer area
and arrange them in the correct order.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 218
http://www.braindump2go.com
Answer:

Explanation:
http://technet.microsoft.com/nl-nl/library/cc753609%28v=ws.10%29.aspx
http://mizitechinfo.wordpress.com/2013/08/13/simple-step-create-a-snapshot-of-ad-ds-in-
windows-server-2012-r2-by-using-ntdsutil/

QUESTION 230
Hotspot Question

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 219
http://www.braindump2go.com
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Print1.
Your company implements DirectAccess. A user named User1 frequently works at a customer's
office. The customer's office contains a print server named Print1. While working at the
customer's office, User1 attempts to connect to Print1.
User1 connects to the Print1 server in contoso.com instead of the Print1 server at the customer's
office.
You need to provide User1 with the ability to connect to the Print1 server in the customer's office.
Which Group Policy option should you configure?
To answer, select the appropriate option in the answer area.

Answer:

Explanation:
The policy setting allowing favoring local name indicates whether the user has the DirectAccess-
entry options for connecting and disconnecting available when the user clicks on the icon for the
network system tray.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 220
http://www.braindump2go.com
When a user clicks on the "Disconnect" option, removed the NCA the DirectAccess rules from the
policy table for name resolution (Name Resolution Policy Table, NRPT) and the DirectAccess
client computer uses the next available normal name resolution in its current network
configuration.

This includes sending all DNS queries to the local intranet or Internet DNS server. Note that the
NCA does not remove existing IPsec tunnel and users can access Internet resources on the
DirectAccess server continues by instead of names IPv6 addresses specify. Use the "Disconnect"
option allows users to while connected to another Intranet specify unqualified names with a name
(z. B. "PRINTSVR") for local resources.

The same applies to the temporary access to intranet resources when the network location
determination has erroneously recognized that the DirectAccess client computer is connected to
its own Intranet. Use the "Connect" option allows users to DirectAccess rules to recover in the
policy table for name resolution and the normal DirectAccess use functions.

QUESTION 231
Hotspot Question
Your network contains an Active Directory domain named contoso.com.
You need to create a certificate template for the BitLocker Drive Encryption (BitLocker) Network
Unlock feature.
Which Cryptography setting of the certificate template should you modify?
To answer, select the appropriate setting in the answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 221
http://www.braindump2go.com
Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 222
http://www.braindump2go.com
Explanation:
Minimum key size should be 2048
https://technet.microsoft.com/en-us/library/jj574173.aspx#BKMK_CreateCertTmpl

QUESTION 232
Your network contains an Active Directory forest named contoso.com.
The forest functional level is Windows Server 2012 R2. The forest contains a single domain.
You create a Password Settings object (PSO) named PSO1.
You need to delegate the rights to apply PSO1 to the Active Directory objects in an organizational
unit named OU1.
What should you do?

A. From Active Directory Users and Computers, run the Delegation of Control Wizard.
B. From Active Directory Administrative Center, modify the security settings of PSO1.
C. From Group Policy Management, create a Group Policy object (GPO) and link the GPO to OU1.
D. From Active Directory Administrative Center, modify the security settings of OU1.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 223
http://www.braindump2go.com
Answer: B
Explanation:
PSOs cannot be applied to organizational units (OUs) directly. If your users are organized into
OUs, consider creating global security groups that contain the users from these Ous and then
applying the newly defined finegrained password and account lockout policies to them. If you
move a user from one OU to another, you must update user memberships in the corresponding
global security groups.
Go ahead and hit "OK" and then close out of all open windows. Now that you have created a
password policy, we need to apply it to a user/group. In order to do so, you must have "write"
permissions on the PSO object. We're doing this in a lab, so I'm Domain Admin.
Write permissions are not a problem : )
1. Open Active Directory Users and Computers (Start, point to Administrative Tools, and then
click Active Directory Users and Computers).
2. On the View menu, ensure that Advanced Features is checked.
3. In the console tree, expand Active Directory Users and
Computers\yourdomain\System\Password Settings Container
4. In the details pane, right-click the PSO, and then click Properties.
5. Click the Attribute Editor tab.
6. Select the msDS-PsoAppliesTo attribute, and then click Edit.

QUESTION 233
Your network contains an Active Directory forest named contoso.com. The forest contains two
domains named contoso.com and childl.contoso.com. All domain controllers run Windows Server
2012 R2. The domain contains four domain controllers.
The domain controllers are configured as shown in the following table.

You open Active Directory Users and Computers on a client computer and connect to DC1.
You display the members of a group named Group1 as shown in the Group1 Members exhibit.
(Click the Exhibit button.)

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 224
http://www.braindump2go.com
When you view the properties of a user named Userl02, you receive the error message shown in
the Error exhibit. (Click the Exhibit button.)

The error message does not display for any other members of Group1.
You need to identify which domain controller causes the issue shown in the error message.
Which domain controller should you identify?

A. DC1
B. DC2
C. DC10
D. DC11

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 225
http://www.braindump2go.com
Answer: B
Explanation:
The infrastructure master for a domain periodically examines the references, within its replica of
the directory data, to objects not held on that domain controller. It queries a Global Catalog server
for current information about the distinguished name and SID of each referenced object. If this
information has changed, the infrastructure master makes the change in its local replica and also
replicates the new values to other domain controllers within the domain.
The error hints the object reference is not updated in Infrastructure Master of Contoso.com
domain.

QUESTION 234
Your network contains an Active Directory domain named contoso.com.
All servers run Windows Server 2012. The domain contains a file server named Server1.
All client computers run Windows 8. Users share the client computers and frequently log on to
different client computers.
You need to ensure that when the users save files in the Documents folder, the files are saved
automatically to \\Server1\Users\.
The solution must minimize the amount of network traffic that occurs when the users log
on to the client computers.
What should you do?

A. From a Group Policy object (GPO), configure the Folder Redirection settings
B. From the properties of each user account, configure the Home folder settings
C. From the properties of each user account, configure the User profile settings
D. From a Group Policy object (GPO), configure the Drive Maps preference.

Answer: A
Explanation:
With the Folder Redirection allows you to redirect to a new location, for example to a network
share the location of specific folders within user profiles.. Folder Redirection is used in the
management of user profiles and roaming user profiles. You can configure the folder redirection
by using Group Policy Management Console to redirect specific user profile folders and to edit
policy settings for folder redirection.
User settings and user files are typically stored in the local user in the User folder profile. The
access to the files in the local user profile can only be made from the current computer. It is
therefore difficult for users with more than one computer to work with the data and synchronize
settings between multiple computers.
By configuring the Folder Redirection allows you to redirect the path of a folder to a new location.
The path can be a folder on the local computer or a directory on a network file share. Users have
the ability to use the documents on a server as if the documents were stored on the local hard
disk. The documents in the folder are available to the user from any computer on the network.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 226
http://www.braindump2go.com
QUESTION 235
Hotspot Question
You have a server named Server1 that runs Windows Server 2012 R2. Server1 has two network
adapters and is located in a perimeter network.
You need to configure Server1 as a network address translation (NAT) server.
Which node should you use to add the NAT routing protocol?
To answer, select the appropriate node in the answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 227
http://www.braindump2go.com
Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 228
http://www.braindump2go.com
Explanation:
Additional routing protocols can be installed on the node IPv4 \ General.

QUESTION 236
Hotspot Question
You have a server named Server5 that runs Windows Server 2012 R2. Servers has the Windows
Deployment Services server role installed.
You need to ensure that when client computers connect to Server5 by using PXE, the computers
use an unattended file.
What should you configure?
To answer, select the appropriate tab in the answer area.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 229
http://www.braindump2go.com
QUESTION 237
Your network contains a server named Server1 that has the Network Policy and Access Services
server role installed. All of the network access servers forward connection requests to Server1.
You create a new network policy on Server1.
You need to ensure that the new policy applies only to connection requests from Microsoft RAS
servers that are located on the 192.168.0.0/24 subnet.
Which two configurations should you perforin?
(Each correct answer presents part of the solution. Choose two.)

A. Set the MS-RAS Vendor ID condition to $teelHead.


B. Set the Called Station ID constraint to 192.168.0.
C. Set the Client IP4 Address condition to 192.168.0.0/24.
D. Set the MS-RAS Vendor ID condition to ^311$.
E. Set the Called Station ID constraint to 192.168.0.0/24.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 230
http://www.braindump2go.com
F. Set the Client IP4 Address condition to 192.168.0.

Answer: DF
Explanation:
D: MS-RAS-Vendor Matches "^311$" ) The condition means that the policy applies only when the
version of the RADIUS client is ^311$, so subsequent settings in this policy apply only to RRAS
machines.
F: Client IPv4 Address
Specifies the Internet Protocol (IP) version 4 address of the RADIUS client that forwarded the
connection request to the NPS server.

QUESTION 238
Your network contains an Active Directory domain named contoso.com.
The domain contains a server named Server1. Server1 is configured as a VPN server.
You need to configure Server1 to perform network address translation (NAT).
What should you do?

A. From Network Connections, modify the Internet Protocol Version 6 (TCP/IPv6) setting of each
network adapter.
B. From Routing and Remote Access, add an IPv4 routing protocol.
C. From Routing and Remote Access, add an IPv6 routing protocol.
D. From Network Connections, modify the Internet Protocol Version 4 (TCP/IPv4) setting of each
network adapter.

Answer: B
Explanation:
To configure an existing RRAS server to support both VPN remote access and NAT routing:
1. Open Server Manager.
2. Expand Roles, and then expand Network Policy and Access Services.
3. Right-click Routing and Remote Access, and then click Properties.
4. Select IPv4 Remote access Server or IPv6 Remote access server, or both.

QUESTION 239
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that has the Remote Access server role installed. DirectAccess is
implemented on Server1 by using the default configuration.
You discover that DirectAccess clients do not use DirectAccess when accessing websites on the
Internet.
You need to ensure that DirectAccess clients access all Internet websites by using their
DirectAccess connection.
What should you do?

A. Disable the DirectAccess Passive Mode policy setting in the DirectAccess Client Settings Group
Policy object (GPO).
B. Configure a DNS suffix search list on the DirectAccess clients.
C. Enable the Route all traffic through the internal network policy setting in the DirectAccess Server
Settings Group Policy object (GPO).
D. Configure DirectAccess to enable force tunneling.

Answer: D
Explanation:
With IPv6 and the Name Resolution Policy Table (NRPT), by default, DirectAccess clients

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 231
http://www.braindump2go.com
separate their intranet and Internet traffic as follows:
- DNS name queries for intranet fully qualified domain names (FQDNs) and all intranet traffic is
exchanged over the tunnels that are created with the DirectAccess server or directly with intranet
servers. Intranet traffic from DirectAccess clients is IPv6 traffic.
- DNS name queries for FQDNs that correspond to exemption rules or do not match the intranet
namespace, and all traffic to Internet servers, is exchanged over the physical interface that is
connected to the Internet. Internet traffic from DirectAccess clients is typically IPv4 traffic.
In contrast, by default, some remote access virtual private network (VPN) implementations,
including the VPN client, send all intranet and Internet traffic over the remote access VPN
connection. Internet-bound traffic is routed by the VPN server to intranet IPv4 web proxy servers
for access to IPv4 Internet resources. It is possible to separate the intranet and Internet traffic for
remote access VPN clients by using split tunneling. This involves configuring the Internet Protocol
(IP) routing table on VPN clients so that traffic to intranet locations is sent over the VPN
connection, and traffic to all other locations is sent by using the physical interface that is
connected to the Internet.
You can configure DirectAccess clients to send all of their traffic through the tunnels to the
DirectAccess server with force tunneling. When force tunneling is configured, DirectAccess
clients detect that they are on the Internet, and they remove their IPv4 default route. With the
exception of local subnet traffic, all traffic sent by the DirectAccess client is IPv6 traffic that goes
through tunnels to the DirectAccess server.

QUESTION 240
Your network contains an Active Directory domain named contoso.com. The domain contains a
read-only domain controller (RODC) named RODC1.
You create a global group named RODC_Admins.
You need to provide the members of RODC_Admins with the ability to manage the hardware and
the software on R0DC1. The solution must not provide RODC_Admins with the ability to manage
Active Directory objects.
What should you do?

A. From Active Directory Users and Computers, run the Delegation of Control Wizard
B. From a command prompt, run the dsadd computer command
C. From Active Directory Users and Computers, configure the Managed By settings of the RODC1 account.
D. From Active Directory Site and Services, configure the Security settings of the RODC1 server object.

Answer: C
Explanation:
Modify the Managed By tab of the RODC account properties in the Active Directory Users and
Computers snap-in, as shown in the following figure. You can click Change to change which
security principal is the delegated RODC administrator. You can choose only one security
principal. Specify a security group rather than an individual user so you can control RODC
administration permissions most efficiently. This method changes the managedBy attribute of the
computer object that corresponds to the RODC to the SID of the security principal that you
specify. This is the recommended way to specify the delegated RODC administrator account
because the information is stored in AD DS, where it can be centrally managed by domain
administrators.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 232
http://www.braindump2go.com
Incorrect:
Not A: You delegate administration of a domain or organizational unit by using the Delegation of
Control wizard available in the Active Directory Users and Computers snap- in.
Not B: dsadd group just adds a group to the Active Directory

QUESTION 241
You have a DNS server named Server1 that runs Windows Server 2012 R2. On Server1, you
create a DNS zone named contoso.com.
You need to specify the email address of the person responsible for the zone.
Which type of DNS record should you configure?

A. Start of authority (SOA)


B. Mail exchanger (MX)
C. Host information (HINFO)
D. Mailbox (MB)

Answer: A
Explanation:
A SOA-record defines the responsible person for an entire zone, but a zone may contain many
individual hosts / domain names for which different people are responsible. The Rprecord type

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 233
http://www.braindump2go.com
makes it possible to identify the responsible person for individual host names contained within the
zone.

QUESTION 242
You have a server named Server1 that runs Windows Server 2012 R2.
You discover that the performance of Server1 is poor.
The results of a performance report generated on Server1 are shown in the following table.

You need to identify the cause of the performance issue.


What should you identify?

A. Excessive paging
B. NUMA fragmentation
C. Driver malfunction
D. Insufficient RAM

Answer: C
Explanation:
Processor: %DPC Time. Much like the other values, this counter shows the amount of time that
the processor spends servicing DPC requests. DPC requests are more often than not associated
with the network interface.

Processor: % Interrupt Time. This is the percentage of time that the processor is spending on
handling Interrupts. Generally, if this value exceeds 50% of the processor time you may have a
hardware issue. Some components on the computer can force this issue and not really be a
problem. For example a programmable I/O card like an old disk controller card, can take up to
40% of the CPU time. A NIC on a busy IIS server can likewise generate a large percentage of
processor activity.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 234
http://www.braindump2go.com
Processor: % User Time. The value of this counter helps to determine the kind of processing
that is affecting the system. Of course the resulting value is the total amount of non-idle time that
was spent on User mode operations. This generally means application code.

Processor: %Privilege Time. This is the amount of time the processor was busy with Kernel
mode operations. If the processor is very busy and this mode is high, it is usually an indication of
some type of NT service having difficulty, although user mode programs can make calls to the
Kernel mode NT components to occasionally cause this type of performance issue.

Memory: Pages/sec. This value is often confused with Page Faults/sec. The Pages/sec counter
is a combination of Pages Input/sec and Pages Output/sec counters. Recall that Page Faults/sec
is a combination of hard page faults and soft page faults. This counter, however, is a general
indicator of how often the system is using the hard drive to store or retrieve memory associated
data.
http://technet.microsoft.com/en-us/library/cc768048.aspx

QUESTION 243
Your network contains an Active Directory domain named contoso.com.
All servers run Windows Server 2012 R2. An organizational unit (OU) named ResearchServers
contains the computer accounts of all research servers.
All domain users are configured to have a minimum password length of eight characters.
You need to ensure that the minimum password length of the local user accounts on the research
servers in the ResearchServers OU is 10 characters.
What should you do?

A. Create a universal group that contains the research servers.


Create a Password Settings object (PSO) and assign the PSO to the group.
B. Configure a local Group Policy object (GPO) on each research server.
C. Create and link a Group Policy object (GPO) to the ResearchServers OU.
D. Create a global group that contains the research servers.
Create a Password Settings object (PSO) and assign the PSO to the group.

Answer: C
Explanation:
The password policies a GPO (GPO) that is applied to domain computers are taken over by the
domain computers as a local password policy.
---------------------
For a domain, and you are on a member server or a workstation that is joined to the domain:
1. Open Microsoft Management Console (MMC).
2. On the File menu, click Add/Remove Snap-in, and then click Add.
3. Click Group Policy Object Editor, and then click Add.
4. In Select Group Policy Object, click Browse.
5. In Browse for a Group Policy Object, select a Group Policy object (GPO) in the appropriate
domain, site, or organizational unit--or create a new one, click OK, and then click Finish.
6. Click Close, and then click OK.
7. In the console tree, click Password Policy.
Where?
Group Policy Object [computer name] Policy/Computer Configuration/Windows Settings/Security
Settings/Account Policies/Password Policy
8. In the details pane, right-click the policy setting that you want, and then click Properties.
9. If you are defining this policy setting for the first time, select the Define this policy setting check
box.
10. Select the options that you want, and then click OK.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 235
http://www.braindump2go.com
QUESTION 244
Your network contains an Active Directory domain named contoso.com. All domain controllers
run Windows Server 2012 R2. The domain contains an Edge Server named Server1.
Server1 is configured as a DirectAccess server. Server1 has the following settings:

Your company uses split-brain DNS for the contoso.com zone.


You run the Remote Access Setup wizard as shown in the following exhibit. (Click the Exhibit
button.)

You need to ensure that client computers on the Internet can establish DirectAccess connections
to Server1.
Which additional name suffix entry should you add from the Remote Access Setup wizard?

A. A Name Suffix value of dal.contoso.com and a blank DNS Server Address value
B. A Name Suffix value of Server1.contoso.com and a DNS Server Address value of 65.55.37.62
C. A Name Suffix value of Server1.contoso.com and a blank DNS Server Address value
D. A Name Suffix value of dal.contoso.com and a DNS Server Address value of 65.55.37.62

Answer: A
Explanation:
For split-brain DNS deployments, you must list the FQDNs that are duplicated on the Internet and
intranet and decide which resources the DirectAccess client should reach, the intranet version or
the public (Internet) version. For each name that corresponds to a resource for which you want
DirectAccess clients to reach the public version, you must add the corresponding FQDN as an

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 236
http://www.braindump2go.com
exemption rule to the NRPT for your DirectAccess clients.
Name suffixes that do not have corresponding DNS servers are treated as exemptions.
http://technet.microsoft.com/en-us/library/ee382323(v=ws.10).aspx

QUESTION 245
Your network contains an Active Directory domain named contoso.com. All servers run Windows
Server 2012 R2. Client computers run either Windows 7 or Windows 8. All of the client computers
have an application named App1 installed. The domain contains a Group Policy object (GPO)
named GPO1 that is applied to all of the client computers.
You need to add a system variable named App1Data to all of the client computers.
Which Group Policy preference should you configure?

A. Services
B. Ini Files
C. Environment
D. Data Sources

Answer: C
Explanation:
Environment Variable preference items allow you to create, update, replace, and delete user and
system environment variables or semicolon-delimited segments of the PATH variable. Before you
create an Environment Variable preference item, you should review the behavior of each type of
action possible with this extension.

QUESTION 246
Drag and Drop Question
Your network contains an Active Directory forest named contoso.com. All domain controllers run
Windows Server 2008 R2. The schema is upgraded to Windows Server 2012 R2. Contoso.com
contains two servers. The servers are configured as shown in the following table.

Server1 and Server2 host a load-balanced application pool named AppPool1.


You need to ensure that AppPool1 uses a group Managed Service Account as its identity.
Which three actions should you perform?
To answer, move the three appropriate actions from the list of actions to the answer area and
arrange them in the correct order.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 237
http://www.braindump2go.com
Answer:

QUESTION 247
Your network contains a Hyper-V host named Hyperv1. Hyperv1 runs Windows Server 2012 R2.
Hyperv1 hosts four virtual machines named VM1, VM2, VM3, and VM4. All of the virtual
machines run Windows Server 2008 R2.
You need to view the amount of memory resources and processor resources that VM4 currently
uses.
Which tool should you use on Hyperv1?

A. Resource Monitor
B. Task Manager
C. Hyper-V Manager
D. Windows System Resource Manager (WSRM)

Answer: C
Explanation:
Hyper-V Performance Monitoring Tool
Know which resource is consuming more CPU. Find out if CPUs are running at full capacity or if
they are being underutilized. Metrics tracked include Total CPU utilization, Guest CPU utilization,
Hypervisor CPU utilization, idle CPU utilization, etc.
WSRM is deprecated starting with Windows Server 2012

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 238
http://www.braindump2go.com
QUESTION 248
You have a server named Server1 that runs Windows Server 2012 R2.
You create a custom Data Collector Set (DCS) named DCS1.
You need to configure Server1 to start DCS1 automatically when the network usage exceeds 70
percent.
Which type of data collector should you create?

A. A configuration data collector


B. A performance counter data collector
C. An event trace data collector
D. A performance counter alert

Answer: D
Explanation:
Performance alerts notify you when a specified performance counter exceeds your configured
threshold by logging an event to the event log. But rather than notifying you immediately when the
counter exceeds the threshold, you can configure a time period over which the counter needs to
exceed the threshold, to avoid unnecessary alerts.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 239
http://www.braindump2go.com
QUESTION 249
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs Windows Server 2012 R2. Server1 has the following role
services installed:

- DirectAccess and VPN (RRAS)


- Network Policy Server

Remote users have client computers that run either Windows XP, Windows 7, or Windows 8.
You need to ensure that only the client computers that run Windows 7 or Windows 8 can
establish VPN connections to Server1.
What should you configure on Server1?

A. A vendor-specific RADIUS attribute of a Network Policy Server (NPS) connection request policy
B. A condition of a Network Policy Server (NPS) network policy
C. A condition of a Network Policy Server (NPS) connection request policy
D. A constraint of a Network Policy Server (NPS) network policy

Answer: B
Explanation:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 240
http://www.braindump2go.com
If you want to configure the Operating System condition, click Operating System, and then click
Add. In Operating System Properties, click Add, and then specify the operating system settings
that are required to match the policy.
The Operating System condition specifies the operating system (operating system version or
service pack number), role (client or server), and architecture (x86, x64, or ia64) required for the
computer configuration to match the policy.
Configuring NAP on the Network Policy Server (NPS)
https://technet.microsoft.com/en-us/library/dd182017.aspx
Network Policy Constraints Properties
https://technet.microsoft.com/en-us/library/cc770641(v=ws.10).aspx

QUESTION 250
You manage a server that runs Windows Server 2012 R2.
The server has the Windows Deployment Services server role installed.
You start a virtual machine named VM1 as shown in the exhibit. (Click the Exhibit button.)

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 241
http://www.braindump2go.com
You need to configure a pre-staged device for VM1 in the Windows Deployment Services
console.
Which two values should you assign to the device ID?
(Each correct answer presents a complete solution. Choose two.)

A. 979708BFC04B45259FE0C4150BB6C618
B. 979708BF-C04B-4525-9FE0-C4150BB6C618
C. 00155D000F1300000000000000000000
D. 0000000000000000000000155D000F13
E. 00000000-0000-0000-0000-C4150BB6C618

Answer: BD
Explanation:
Use client computer's media access control (MAC) address preceded with twenty zeros or the
globally unique identifier (GUID) in the format: {XXXXXXXX-XXXX-XXXX-XXX-
XXXXXXXXXXXX}.
http://technet.microsoft.com/en-us/library/cc754469.aspx

QUESTION 251
Your network contains an Active Directory domain named contoso.com. The domain contains a
RADIUS server named Server1 that runs Windows Server 2012 R2.
You add a VPN server named Server2 to the network. On Server1, you create several network
policies.
You need to configure Server1 to accept authentication requests from Server2.
Which tool should you use on Server1?

A. Add-RemoteAccessRadius
B. New-NpsRadiusClient
C. Remote Access Management Console
D. Routing and Remote Access

Answer: B
Explanation:
There are two configurations need to be done in Server1. First is to create a RADIUS client, and
second, create a network policy. The network policy has been created. So we need to use New-
NpsRadiusClient to create a RADIUS client.

QUESTION 252
You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the Remote
Access server role installed.
On Server1, you create a network policy named Policy1.
You need to configure Policy1 to ensure that users are added to a VLAN.
Which attributes should you add to Policy1?

A. Tunnel-Tag, Tunnel-Password, Tunnel-Medium-Type, and Tunnel-Preference


B. Tunnel-Tag, Tunnel-Server-Auth-ID, Tunnel-Preference, and Tunnel-Pvt-Group-ID
C. Tunnel-Type, Tunnel-Tag, Tunnel-Medium-Type, and Tunnel-Pvt-Group-ID
D. Tunnel-Type, Tunnel-Password, Tunnel-Server-Auth-ID, and Tunnel-Pvt-Group-ID

Answer: C
Explanation:
VLAN attributes used in network policy

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 242
http://www.braindump2go.com
When you use network hardware, such as routers, switches, and access controllers that support
virtual local area networks (VLANs), you can configure Network Policy Server (NPS) network
policy to instruct the access servers to place members of Active Directory® groups on VLANs.
Before configuring network policy in NPS for VLANs, create groups of users in Active Directory
Domain Services (AD DS) that you want to assign to specific VLANs. Then when you run the
New Network Policy wizard, add the Active Directory group as a condition of the network policy.
You can create a separate network policy for each group that you want to assign to a VLAN. For
more information, see Create a Group for a Network Policy. When you configure network policy
for use with VLANs, you must configure the RADIUS standard attributes Tunnel-Medium-Type,
Tunnel-Pvt-Group-ID, and Tunnel-Type. Some hardware vendors also require the use of the
RADIUS standard attribute Tunnel-Tag.
To configure these attributes in a network policy, use the New Network Policy wizard to create a
network policy. You can add the attributes to the network policy settings while running the wizard
or after you have successfully created a policy with the wizard.
Tunnel-Medium-Type. Select a value appropriate to the previous selections you made while
running the New Network Policy wizard. For example, if the network policy you are configuring is
a wireless policy, in Attribute Value, select 802 (Includes all 802 media plus Ethernet canonical
format).
Tunnel-Pvt-Group-ID. Enter the integer that represents the VLAN number to which group
members will be assigned. For example, if you want to create a Sales VLAN for your sales team
by assigning team members to VLAN 4, type the number 4.
Tunnel-Type. Select the value Virtual LANs (VLAN).
Tunnel-Tag. Some hardware devices do not require this attribute. If your hardware device
requires this attribute, obtain this value from your hardware documentation.

QUESTION 253
You are a network administrator of an Active Directory domain named contoso.com.
You have a server named Server1 that runs Windows Server 2012 R2.
Server1 has the DHCP Server server role and the Network Policy Server role service installed.
You enable Network Access Protection (NAP) on all of the DHCP scopes on Server1.
You need to create a DHCP policy that willApply to all of the NAP non-compliant DHCP clients.
Which criteria should you specify when you create the DHCP policy?

A. The relay agent information


B. The client identifier
C. The vendor class
D. The user class

Answer: D
Explanation:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 243
http://www.braindump2go.com
To configure a NAP-enabled DHCP server
- On the DHCP server, click Start, click Run, in Open, type dhcpmgmt.smc, and then press
ENTER.
- In the DHCP console, open <servername>\IPv4.
- Right-click the name of the DHCP scope that you will use for NAP client computers, and then
click Properties.
- On the Network Access Protection tab, under Network Access Protection Settings, choose -
Enable for this scope, verify that Use default Network Access Protection profile is selected, and
then click OK. In the DHCP console tree, under the DHCP scope that you have selected, right-
click Scope Options, and then click Configure Options.
- On the Advanced tab, verify that Default User Class is selected next to User class.
- Select the 003 Router check box, and in IP Address, under Data entry, type the IP address for
the default gateway used by compliant NAP client computers, and then click Add.
- Select the 006 DNS Servers check box, and in IP Address, under Data entry, type the IP
address for each router to be used by compliant NAP client computers, and then click Add.
- Select the 015 DNS Domain Name check box, and in String value, under Data entry, type your
organization's domain name (for example, woodgrovebank.local), and then click Apply. This
domain is a full-access network assigned to compliant NAP clients.
- On the Advanced tab, next to User class, choose Default Network Access Protection Class.
- Select the 003 Router check box, and in IP Address, under Data entry, type the IP address for
the default gateway used by noncompliant NAP client computers, and then click Add. This can be
the same default gateway that is used by compliant NAP clients.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 244
http://www.braindump2go.com
- Select the 006 DNS Servers check box, and in IP Address, under Data entry, type the IP
address for each DNS server to be used by noncompliant NAP client computers, and then click
Add. These can be the same DNS servers used by compliant NAP clients.
- Select the 015 DNS Domain Name check box, and in String value, under Data entry, type a
name to identify the restricted domain (for example, restricted.woodgrovebank.local), and then
click OK. This domain is a restricted-access network assigned to noncompliant NAP clients.
- Click OK to close the Scope Options dialog box.
- Close the DHCP console.
http://technet.microsoft.com/en-us/library/dd296905%28v=ws.10%29.aspx

QUESTION 254
Your network contains an Active Directory domain named contoso.com. The network contains a
server named Server1 that runs Windows Server 2012 R2. Server1 has the Network Policy and
Access Services server role installed.
You plan to deploy additional servers that have the Network Policy and Access Services server
role installed.
You must standardize as many settings on the new servers as possible.
You need to identify which settings can be standardized by using the Network Policy Server
(NPS) templates.
Which three settings should you identify? (Each answer presents part of the solution.
Choose three.)

A. IP filters
B. shared secrets
C. health policies
D. network policies
E. connection request policies

Answer: ABC
Explanation:
Using NPS templates (Network Policy Server, Network Policy Server) allows you to create
configuration elements such as RADIUS clients (Remote Authentication Dial-In User Service) or
shared secret that you can reuse on the local NPS server and for use on other NPS servers can
export. NPS templates to reduce the time required and the cost of configuring one or more
Network Policy Server. The following NPS template types are available in the template
management for configuration:
Shared secrets
RADIUS clients
Remote RADIUS server
IP Filter
Health Policies
Remediation Server Groups
Configuring a template is not to be confused with direct Configuring the Network Policy Server.
Creating a template does not affect the functionality of the Network Policy Server. Only when you
select the template in the appropriate place in the NPS console, the original on the functionality of
the Network Policy Server acts out.

QUESTION 255
You are the network administrator for a midsize computer company.
You have a single Active Directory forest, and your DNS servers are configured as Active
Directory Integrated zones. When you look at the DNS records in Active Directory, you notice that
there are many records for computers that do not exist on your domain.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 245
http://www.braindump2go.com
You want to make sure only domain computers register with your DNS servers.
What should you do to resolve this issue?

A. Set dynamic updates to None.


B. Set dynamic updates to Nonsecure And Secure.
C. Set dynamic updates to Domain Users Only.
D. Set dynamic updates to Secure Only.

Answer: D
Explanation:
Already in the wizard to create new zones, you can configure the options for dynamic updates.
The option only secure dynamic updates allows you to register new records and updating existing
Einträg only computers that are members of the domain.

QUESTION 256
A system administrator is trying to determine which file system to use for a server that will
become a Windows Server 2012 R2 file server and domain controller. The company has the
following requirements:
The file system must allow for file-level security from within Windows 2012 Server.
The file system must make efficient use of space on large partitions.
The domain controller SYSVOL must be stored on the partition
Which of the following file systems meets these requirements?

A. FAT
B. FAT32
C. HPFS
D. NTFS

Answer: D
Explanation:
A file system is the underlying structure that is used on a computer for organizing data on your
hard drive. If you are installing a new hard drive, you must partition using a file system and format
it before you can store on the hard disk data or programs. On Windows, you can choose between
three file system options: NTFS, FAT32, and the older and rarely-used FAT (also called FAT16).

NTFS
NTFS is the preferred file system of Windows. NTFS has many advantages over the earlier
FAT32 file system. These include:

The ability to automatically perform a recovery with some disk-related errors.


This is not possible with FAT32.
Improved support for larger hard drives.

Better security because you can restrict using permissions and encryption to access certain files
to authorized users.
For the Sysvol directory of a domain controller an NTFS formatted partition is imperative. FAT32
FAT32 and FAT less frequently used were used in previous versions of the Windows operating
system, including Windows 95, Windows 98 and Windows Millennium Edition. FAT32 can not
offer assurances provided by the NTFS file system. If you have a FAT32 partition or a FAT32
volume on your computer, any user who accesses your computer, read all the files stored on it. In
addition, the FAT32 file system is subject to size restrictions. Under this version of Windows, you
can only create a FAT32 partition up to 32 GB and store files with a maximum of 4 GB on a
FAT32 partition.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 246
http://www.braindump2go.com
FAT32 is mainly required if you own a computer, occasionally under Windows 95, Windows 98 or
Windows Millennium Edition, and will otherwise run on this version of Windows. This is called a
multiboot configuration. If this applies to your computer, you must install the older operating
system on a FAT32 or FAT partition and ensure that it is in this partition to a primary partition (a
partition that can host an operating system). Any additional partitions that you access when you
run these previous versions of Windows must also be formatted with FAT32. These previous
versions of Windows can over a network on NTFS partitions or -volumes access, but not to the
NTFS partitions or -volumes on your computer.

QUESTION 257
Your corporate network includes an Active Directory Domain Services (AD DS) domain contoso.
On all domain controllers running Windows Server 2012 R2 is installed.
You need to create a new user account using the command prompt.
Which command would you use?

A. dsmodify
B. dscreate
C. dsnew
D. dsadd
E. Dsmod
F. Dsmgmt
G. Dsacls
H. Dsrm
I. Dsamain
I.
Answer: D
Explanation:
This command-line tool Dsadd was integrated for the first time in Windows Server 2008 and is
installed since Active cooperation with the role Directory Domain Services. The program enables
the creation of Active Directory objects from the command line and contains the following
subroutines for creating different types of objects:
Dsadd computer
Dsadd contact
Dsadd group
Dsadd ou
Dsadd user
Dsadd quota

QUESTION 258
You are hired as a consultant to the ABC Company. The owner of the company complains that
she continues to have Desktop wallpaper that she did not choose. When you speak with the IT
team, you find out that a former employee created 20 GPOs and they have not been able to
figure out which GPO is changing the owner's Desktop wallpaper.
How can you resolve this issue?

A. Run the RSoP utility against all forest computer accounts


B. Run the RSoP utility against the owner's computer account
C. Run the RSoP utility against the owner's user account
D. Run the RSoP utility against all domain computer accounts.

Answer: C

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 247
http://www.braindump2go.com
QUESTION 259
You need to enable three of your domain controllers as global catalog servers.
Where would you configure the domain controllers as global catalogs?

A. Forest, NTDS settings


B. Domain, NTDS settings
C. Site, NTDS settings
D. Server, NTDS settings

Answer: D

QUESTION 260
You are the network administrator for your organization.
Your company uses a Windows Server 2012 R2 Enterprise certification authority to issue
certificates.
You need to start using key archival.
What should you do?

A. Implement a distribution CRL.


B. Install the smart card key retrieval.
C. Implement a Group Policy object (GPO) that enables the Online Certificate Status Protocol (OCSP) responder.
D. Archive the private key on the server.

Answer: D

QUESTION 261
You wants to change the memory of a virtual machine that is currently powered up.
What does he need to do?

A. Shut down the virtual machine, use the virtual machine's settings to change the memory, and start it again.
B. Use the virtual machine's settings to change the memory
C. Pause the virtual machine, use the virtual machine's settings to change the memory, and resume it.
D. Save the virtual machine, use the virtual machine's settings to change the memory, and resume it.

Answer: A
Explanation:
The memory of a virtual machine, you can only change if the VM is powered off. If the VM is
running, is stopped or saved, the settings for the memory can not be changed. A hard disk or a
DVD drive, however, you can also add a virtual machine during operation.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 248
http://www.braindump2go.com
QUESTION 262
You need to stop an application from running in Task Manager.
Which tab would you use to stop an application from running?

A. Performance
B. Users
C. Options
D. Details

Answer: D

QUESTION 263
You upgraded all of your locations to Windows Server 2012 R2 and implemented the routing
capability built into the servers.
You chose to implement RIP. After implementing the routers, you discover that routes that you
don't want your network to consider are updating your RIP routing tables.
What can you do to control which networks the RIP routing protocol will communicate with on
your network?

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 249
http://www.braindump2go.com
A. Configure TCP/IP filtering
B. Configure RIP route filtering
C. Configure IP packet filtering
D. Configure RIP peer filtering
E. There is no way to control this behavior

Answer: B
Explanation:
RIP route filters allow you to configure your routers to either ignore or accept updates from
specific network addresses or a range of addresses. TCP/IP filtering is configured at each
individual host to control the traffic at a granular level, such as a specific address, UDP port, or
TCP port. IP packet filtering is used on the router interface to control IP traffic based on subnet
masks, IP address, or port.
RIP peer filtering is used to control communication between individual routers rather than control
the entire network address.

QUESTION 264
Your company has offices in five locations around the country. Most of the users' activity is local
to their own network. Occasionally, some of the users in one location need to send confidential
information to one of the other four locations or to retrieve information from one of them. The
communication between the remote locations is sporadic and relatively infrequent, so you have
configured RRAS to use demand-dial lines to set up the connections. Management's only
requirement is that any communication between the office locations be appropriately secured.
Which of the following steps should you take to ensure compliance with this requirement?
(Choose all that apply.)

A. Configure CHAP on all the RRAS servers.


B. Configure PAP on all the RRAS servers.
C. Configure MPPE on all the RRAS servers.
D. Configure L2TP on all the RRAS servers.
E. Configure MS-CHAPv2 on all the RRAS servers.

Answer: CE
Explanation:
For dial-up and PPTP dial-in site-to-site scenarios, authentication protocols EAP-TLS or MS-
CHAP v2 are recommended. For encryption, the Microsoft Point-to-Point Encryption (MPPE)
protocol recommended. See also: Choosing MPPE or IPSec Encryption

QUESTION 265
Your network contains an Active Directory domain named contoso.com. All domain controllers
run Windows Server 2012 R2.
In a remote site, a support technician installs a server named DC10 that runs Windows Server
2012 R2. DC10 is currently a member of a workgroup.
You plan to promote DC10 to a read-only domain controller (RODC).
You need to ensure that a user named Contoso\User1 can promote DC10 to a RODC in the
contoso.com domain. The solution must minimize the number of permissions assigned to User1.
What should you do?

A. From Dsmgmt, run the local roles command.


B. From Active Directory Administrative Center, modify the security settings of the Domain Controllers
organizational unit (OU).
C. From Active Directory Users and Computers, run the Delegation of Control Wizard on the contoso.com

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 250
http://www.braindump2go.com
domain object.
D. From Active Directory Users and Computers, pre-create an RODC computer account.

Answer: D
Explanation:
A staged read only domain controller (RODC) installation works in two discrete phases:
1.Staging an unoccupied computer account
2.Attaching an RODC to that account during promotion

QUESTION 266
Which of the following features is available when Windows Server 2012 R2 is installed using the
GUI option but without the desktop experience feature installed?

A. Metro-style Start screen


B. Built-in help system
C. All of these
D. Windows Media Player

Answer: AB
Explanation:
Here is description of Desktop Experience:
http://technet.microsoft.com/en-us/library/cc772567.aspx

QUESTION 267
Your network contains two servers named Server1 and Server 2.
Both servers run Windows Server 2012 R2 and have the DNS Server server role installed.
On Server1, you create a standard primary zone named contoso.com.
You plan to create a standard primary zone for ad.contoso.com on Server2.
You need to ensure that Server1 forwards all queries for ad.contoso.com to Server2.
What should you do from Server1?

A. Create a trust anchor named Server2.


B. Create a conditional forward that points to Server2
C. Create a zone delegation that points to Server2.
D. Add Server2 as a name server.

Answer: C
Explanation:
You can divide your Domain Name System (DNS) namespace into one or more zones.
You can delegate management of part of your namespace to another location or department in
your organization by delegating the management of the corresponding zone.
For more information, see Understanding Zone Delegation

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 251
http://www.braindump2go.com
Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 252
http://www.braindump2go.com
QUESTION 268
Your network contains an Active Directory domain named adatum.com. The domain contains a
member server named Server1 and 10 web servers. All of the web servers are in an
organizational unit (OU) named WebServers_OU. All of the servers run Windows Server 2012
R2.
On Server1, you need to collect the error events from all of the web servers. The solution must
ensure that when new web servers are added to WebServers_OU, their error events are
collected automatically on Server1.
What should you do?

A. On Server1, create a source computer initiated subscription.


From a Group Policy object (GPO), configure the Configure forwarder resource usage setting
B. On Server1, create a source computer initiated subscription.
From a Group Policy object (GPO), configure the Configure target Subscription Manager setting
C. On Server1, create a collector initiated subscription.
From a Group Policy object (GPO), configure the Configure target Subscription Manager setting
D. On Server1, create a collector initiated subscription.
From a Group Policy object (GPO), configure the Configure forwarder resource usage setting.

Answer: B
Explanation:
Source-initiated subscriptions allow you to define a subscription on an event collector computer
without defining the event source computers, and then multiple remote event source computers
can be set up (using a group policy setting) to forward events to the event collector computer.
This differs from a collector initiated subscription because in the collector initiated subscription
model, the event collector must define all the event sources in the event subscription.
1. Run the following command from an elevated privilege command prompt on the
Windows Server domain controller to configure Windows Remote Management:
winrm qc - q
2. Start group policy by running the following command:
%SYSTEMROOT%\System32\gpedit. msc
3. Under the Computer Configuration node, expand the Administrative Templates node, then
expand the Windows Components node, then select the Event Forwarding node.
4. Right-click the SubscriptionManager setting, and select Properties. Enable the
SubscriptionManager setting, and click the Show button to add a server address to the setting.
Add at least one setting that specifies the event collector computer. The SubscriptionManager
Properties window contains an Explain tab that describes the syntax for the setting.
5. After the SubscriptionManager setting has been added, run the following command to ensure
the policy is applied: gpupdate /force.
If you want to configure a source computer-initiated subscription, you need to configure the
following group policies on the computers that will act as the event forwarders:
* (A) Configure Target Subscription Manager This policy enables you to set the location of the
collector computer.

QUESTION 269
You have a DNS server named DN51 that runs Windows Server 2012 R2.
On DNS1, you create a standard primary DNS zone named adatum.com.
You need to change the frequency that secondary name servers will replicate the zone from
DNS1.
Which type of DNS record should you modify?

A. start of authority (SOA)


B. name server (NS)
C. service location (SRV)

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 253
http://www.braindump2go.com
D. host information (HINFO)

Answer: A
Explanation:
The time to live is specified in the Start of Authority (SOA) record
Note: TTL (time to live) - The number of seconds a domain name is cached locally before
expiration and return to authoritative nameservers for updated information.

QUESTION 270
In Windows Server 2012 R2, you can remove the Server Graphical Shell, resulting in the
"Minimal Server Interface." This is similar to a Server with a GUI installation except that some
features are not installed.
Which of the following features is not installed in this scenario?

A. MMC
B. Windows Explorer
C. Control Panel (subset)
D. Server Manager

Answer: B
Explanation:
When you choose the minimal server interface option Internet Explorer 10, Windows Explorer, the
desktop, and the Start screen are not installed. Microsoft Management Console (MMC), Server
Manager, and a subset of Control Panel are still present.

QUESTION 271
Your network contains an Active Directory domain named contoso.com.
The domain contains a server named Server1 that runs Windows Server 2012 R2.
Server1 has the Remote Desktop Session Host role service installed.
The computer account of Server1 resides in an organizational unit (OU) named OU1.
You create and link a Group Policy object (GPO) named GPO1 to OU1.
GPO1 is configured as shown in the exhibit. (Click the Exhibit button.)

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 254
http://www.braindump2go.com
You need to prevent GPO1 from Applying to your user account when you log on to Server1.
GPO1 must Apply to every other user who logs on to Server1.
What should you configure?

A. WMI Filtering
B. Item-level Targeting
C. Block Inheritance
D. Security Filtering

Answer: D

QUESTION 272
Your network contains an Active Directory domain named contoso.com.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 255
http://www.braindump2go.com
The domain contains a domain controller named DC1 that runs Windows Server 2012 R2.
DC1 is backed up daily.
The domain has the Active Directory Recycle Bin enabled.
During routine maintenance, you delete 500 inactive user accounts and 100 inactive groups.
One of the deleted groups is named Group1.
Some of the deleted user accounts are members of some of the deleted groups.
For documentation purposes, you must provide a list of the members of Group1 before the group
was deleted.
You need to identify the names of the users who were members of Group1 prior to its deletion.
You want to achieve this goal by using the minimum amount of administrative effort.
What should you do first?

A. Mount the most recent Active Directory backup.


B. Perform an authoritative restore of Group1.
C. Use the Recycle Bin to restore Group1.
D. Reactivate the tombstone of Group1.

Answer: A
Explanation:
Note:
The Active Directory Recycle Bin does not have the ability to track simple changes to objects.
If the object itself is not deleted, no element is moved to the Recycle Bin for possible recovery in
the future. In other words, there is no rollback capacity for changes to object properties, or, in
other words, to the values of these properties.
Note 2:
It is not about the restoration of Group1. There are only the membership of the group will be
consulted at an earlier stage. For this purpose, an Active Directory snapshot can be used allows
read access to a previous state of the Active Directory database.

QUESTION 273
Your network contains an Active Directory domain named contoso.com. The domain contains two
servers named Server1 and Server2. Both servers run Windows Server 2012 R2.
For Server2, you are configuring constrained delegation to a third-party service named Service1
on Server1.
When you attempt to add Service1 from Server1 to the delegation setting of Server2, you
discover that Service1 is not listed in the Available services list.
You need to ensure that you can add Service1 for constrained delegation.
What should you do first?

A. From the Services console, modify the properties of Service1


B. From ADSI Edit, create a serviceConnectionPoint (SCP) object
C. From a command prompt, run the setspn.exe command
D. From Active Directory Users and Computers, enable the Advanced Features option.

Answer: A
Explanation:
An SPN (SPN) is a unique identifier for a service in a network with Kerberos authentication. SPNs
are made up of a service class, a host name and a port. In a network with Kerberos
authentication an SPN must be registered for the server under an integrated computer account
such as Network Service or Local System or a user account.
SPNs are automatically registered for built-in accounts. If you run a service under a domain user
account, you must register the SPN manually for the account that you want to use.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 256
http://www.braindump2go.com
In order to make the service Service1, which runs on Server1, on other computers of the domain
"visible", has a service account be established, which can be used over the range of the local
computer addition (domain user account).

QUESTION 274
You have a file server named Server1 that runs Windows Server 2012 R2.
Server1 has the File Server Resource Manager role service installed.
Files created by users in the human resources department are assigned the Department
classification property automatically.
You are configuring a file management task named Task1 to remove user files that have not been
accessed for 60 days or more.
You need to ensure that Task1 only removes files that have a Department classification property
of human resources. The solution must minimize administrative effort.
What should you configure on Task1?

A. Create a custom action.


B. Configure a file screen.
C. Create a classification rule.
D. Create a condition.

Answer: D
Explanation:
Create a File Expiration Task
The following procedure guides you through the process of creating a file management task for
expiring files. File expiration tasks are used to automatically move all files that match certain
criteria to a specified expiration directory, where an administrator can then back those files up
and delete them. Property conditions. Click Add to create a new condition based on the file’s
classification. This will open the Property Condition dialog box, which allows you to select a
property, an operator to perform on the property, and the value to compare the property against.
After clicking OK, you can then create additional conditions, or edit or remove an existing
condition.

QUESTION 275
Hotspot Question
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs Windows Server 2012 R2 and has the Network Policy Server
role service installed.
An administrator creates a Network Policy Server (NPS) network policy named Policy1.
You need to ensure that Policy1 applies to L2TP connections only.
Which condition should you modify?
To answer, select the appropriate object in the answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 257
http://www.braindump2go.com
Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 258
http://www.braindump2go.com
QUESTION 276
Your network contains two DNS servers named Server1 and Server2 that run Windows Server
2012 R2. Server1 hosts a primary zone for contoso.com. Server2 hosts a secondary zone
forcontoso.com.
You need to ensure that Server2 replicates changes to the contoso.com zone every five minutes.
Which setting should you modify in the start of authority (SOA) record?

A. Retry interval
B. Minimum (default) TTL
C. Expires after
D. Refresh interval

Answer: D
Explanation:
By default, the refresh interval for each zone is set to 15 minutes. The refresh interval is used to
determine how often other DNS servers that load and host the zone must attempt to renew the
zone.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 259
http://www.braindump2go.com
QUESTION 277
Your network contains an Active Directory domain named contoso.com.
All domain controllers run Windows Server 2012 R2.
An organizational unit (OU) named OU1 contains 200 client computers that run Windows 8
Enterprise. A Group Policy object (GPO) named GPO1 is linked to OU1.
You make a change to GPO1.
You need to force all of the computers in OU1 to refresh their Group Policy settings immediately.
The solution must minimize administrative effort.
Which tool should you use?

A. The Secedit command


B. The Set-AdComputer cmdlet
C. Active Directory Users and Computers
D. The Invoke-GpUpdate cmdlet

Answer: D
Explanation:
Invoke-GPUpdate
Schedule a remote Group Policy refresh (gpupdate) on the specified computer.
Applies To: Windows Server 2012 R2
The Invoke-GPUpdate cmdlet refreshes Group Policy settings, including security settings that are

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 260
http://www.braindump2go.com
set on remote computers by scheduling the running of the Gpupdate command on a remote
computer. You can combine this cmdlet in a scripted fashion to schedule the Gpupdate command
on a group of computers.
The refresh can be scheduled to immediately start a refresh of policy settings or wait for a
specified period of time, up to a maximum of 31 days. To avoid putting a load on the network, the
refresh times will be offset by a random delay.
Note:
Group Policy is a complicated infrastructure that enables you to apply policy settings to remotely
configure a computer and user experience within a domain. When the Resultant Set of Policy
settings does not conform to your expectations, a best practice is to first verify that the computer
or user has received the latest policy settings. In previous versions of Windows, this was
accomplished by having the user run GPUpdate.exe on their computer.
With Windows Server 2012 R2 and Windows 8, you can remotely refresh Group Policy settings
for all computers in an organizational unit (OU) from one central location by using the Group
Policy Management Console (GPMC). Or you can use the Invoke-GPUpdate Windows
PowerShell cmdlet to refresh Group Policy for a set of computers, including computers that are
not within the OU structure--for example, if the computers are located in the default computers
container.
The remote Group Policy refresh updates all Group Policy settings, including security settings
that are set on a group of remote computers, by using the functionality that is added to the
context menu for an OU in the Group Policy Management Console (GPMC). When you select an
OU to remotely refresh the Group Policy settings on all the computers in that OU, the following
operations happen:
An Active Directory query returns a list of all computers that belong to that OU. For each
computer that belongs to the selected OU, a WMI call retrieves the list of signed in users.
A remote scheduled task is created to run GPUpdate.exe /force for each signed in user and once
for the computer Group Policy refresh. The task is scheduled to run with a random delay of up to
10 minutes to decrease the load on the network traffic. This random delay cannot be configured
when you use the GPMC, but you can configure the random delay for the scheduled task or set
the scheduled task to run immediately when you use the Invoke-GPUpdate cmdlet.
Reference: Force a Remote Group Policy Refresh (GPUpdate)

QUESTION 278
Your network contains an Active Directory domain named contoso.com. All domain controllers
run Windows Server 2012 R2. The domain contains two servers.
The servers are configured as shown in the following table.

Server1 and Server2 host a load-balanced website named Web1. Web1 runs by using an
application pool named WebApp1. WebApp1 uses a group Managed Service Account named
gMSA1 as its identity.
Domain users connect to Web1 by using either the name Web1.contoso.com or the alias
myweb.contoso.com.
You discover the following:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 261
http://www.braindump2go.com
- When the users access Web1 by using Web1.contoso.com, they
authenticate by using Kerberos.
- When the users access Web1 by using myweb.contoso.com, they
authenticate by using NTLM.

You need to ensure that the users can authenticate by using Kerberos when they connect by
using myweb.contoso.com.
What should you do?

A. Run the Add-ADComputerServiceAccount cmdlet.


B. Modify the properties of the gMSA1 service account.
C. Modify the properties of the Web1 website.
D. Run the Install-ADServiceAccount cmdlet.

Answer: B
Explanation:
Independent managed service accounts that were introduced in Windows Server 2008 R2 and
Windows 7 are managed domain accounts that provide an automatic password management and
simplified management of SPN (Service Principal Names SPNs) - including delegation of
management to other administrators.

The Group managed service account provides the same functions within the domain, but this also
is expanding to multiple servers. When connecting with a service that is hosted in a server farm
(for example, a Network Load Balancing), the authentication protocols require with mutual
authentication, that all instances of services use the same principal. If group managed service
accounts can be used as a service principals, the password for the account from the Windows
operating system is managed, rather than leaving the password keeper the Administrator.

The Microsoft Key Distribution Service ("kdssvc.dll") provides the mechanism for secure retrieval
of current key or a certain key ready for an Active Directory account with a key ID. This service is
new in Windows Server 2012 and can not run on older versions of the Windows Server operating
system. From the key distribution service secret information to create keys for the account are
provided. These keys are changed regularly. In one group managed service account to the
Windows Server 2012 domain controller calculates the password for the key specified by the Key
Distribution Service - just like any other attributes of the group managed service account. Current
and older password values can be 8-member hosts accessed by contacting a Windows Server
2012 domain controller of Windows Server 2012- and Windows.

Group Managed Service Accounts provide a single identity solution for services that are running
on a server farm or on systems behind a Network Load Balancing. By providing a solution for
group managed service accounts (groups-MSA solution) services for the new group MSA
principal can be configured, while the password manager of Windows is handled. When using a
group managed service account must be managed by services or service administrators no
password synchronization between service instances become. The group managed service
account supported hosts that are offline for an extended period, as well as the managing member
of hosts for all instances of a service. So you can deploy a server farm that supports a single
identity, with respect to the can authenticate existing client computer without knowing with which
instance of the service a connection is established.

It is most likely that the service account gMSA1 only the name web1.certbase contains .de as
registered SPN. To ensure that Kerberos authentication works even when use of the name
myweb.certbase.de, must match the service account name myweb.certbase.de be added as
additional SPN. This is possible by editing the account properties or by using the Set-
ADServiceAccount.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 262
http://www.braindump2go.com
QUESTION 279
Your network contains an Active Directory domain named contoso.com. All domain controllers
run Windows Server 2012 R2.
You create a central store for Group Policy.
You receive a custom administrative template named Template1.admx.
You need to ensure that the settings in Template1.admx appear in all new Group Policy objects
(GPOs).
What should you do?

A. Copy Template1.admx to
\\Contoso.com\SYSVOL\Contoso.com\Policies\PolicyDefinitions\
B. From the Default Domain Controllers Policy, add Template1.admx to the Administrative Templates.
C. Copy Template1.admx to \\Contoso.com\NETLOGON
D. From the Default Domain Policy, add Template1.admx to the Administrative Templates.

Answer: A
Explanation:
Unlike ADM files, ADMX files are not stored in individual GPOs. For domain-based enterprises,
administrators can create a central store location of ADMX files that is accessible by anyone with
permission to create or edit GPOs.

QUESTION 280
Your network contains an Active Directory domain named contoso.com.
The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the
Network Policy Server role service installed.
An administrator creates a RADIUS client template named Template1.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 263
http://www.braindump2go.com
You create a RADIUS client named Client1 by using Template1.
You need to modify the shared secret for Client1.
What should you do first?

A. Clear Select an existing template for Client1


B. Set the Shared secret setting of Template1 to Manual.
C. Clear Enable this RADIUS client for Client1.
D. Configure the Advanced settings of Template1.

Answer: A
Explanation:
Clear checkmark for Select an existing template in the new client wizard.
In New RADIUS Client, in Shared secret, do one of the following:
Ensure that Manual is selected, and then in Shared secret, type the strong password
that is also entered on the RADIUS client.
Retype the shared secret in Confirm shared secret.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 264
http://www.braindump2go.com
QUESTION 281
Your network contains an Active Directory forest. The forest contains two domains named
contoso.com and fabrikam.com. All of the DNS servers in both of the domains run Windows
Server 2012 R2.
The network contains two servers named Server1 and Server2. Server1 hosts an Active
Directory-integrated zone for contoso.com. Server2 hosts an Active Directory-integrated zone for
fabrikam.com. Server1 and Server2 connect to each other by using a WAN link.
Client computers that connect to Server1 for name resolution cannot resolve names in
fabrikam.com.
You need to configure Server1 to resolve names in fabrikam.com.
The solution must NOT require that changes be made to the fabrikam.com zone on Server2.
What should you create?

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 265
http://www.braindump2go.com
A. a secondary zone
B. a stub zone
C. a trust anchor
D. a zone delegation

Answer: B
Explanation:
A stub zone is a copy of a zone that contains only those resource records necessary to identify
the authoritative Domain Name System (DNS) servers for that zone. A stub zone is used to
resolve names between separate DNS namespaces. This type of resolution may be necessary
when a corporate merger requires that the DNS servers for two separate DNS namespaces
resolve names for clients in both namespaces.

QUESTION 282
Your network contains an Active Directory domain named contoso.com.
Network Access Protection (NAP) is deployed to the domain.
You need to create NAP event trace log files on a client computer.
What should you run?

A. Register-ObjectEvent
B. Register-EngineEvent
C. tracert
D. logman

Answer: D
Explanation:
Register-ObjectEvent: Monitor events generated from .Net Framework Object. Register-
EngineEvent: Subscribes to events that are generated by the Windows PowerShell engine and by
the New-Event cmdlet.
http://technet.microsoft.com/en-us/library/hh849967.aspx
tracert: Trace IP route
logman: Manages and schedules performance counter and event trace log collections on a local
and remote systems.
http://technet.microsoft.com/en-us/library/bb490956.aspx

QUESTION 283
Your network contains an Active Directory domain named contoso.com.
All domain controllers run Windows Server 2012 R2. The domain contains two servers.
The servers are configured as shown in the following table.

Server1 and Server2 host a load-balanced website named Web1. Web1 runs by using an

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 266
http://www.braindump2go.com
application pool named WebApp1.
WebApp1 uses a group Managed Service Account named gMSA1 as its identity.
Domain users connect to Web1 by using either the name Web1.contoso.com or the alias
myweb.contoso.com.
You discover the following:

- When the users access Web1 by using Web1.contoso.com, they


authenticate by using Kerberos.
- When the users access Web1 by using myweb.contoso.com, they
authenticate by using NTLM.

You need to ensure that the users can authenticate by using Kerberos when they connect by
using myweb.contoso.com.
What should you do?

A. Run the Set-ADServiceAccount cmdlet.


B. Run the New-ADServiceAccount cmdlet.
C. Modify the properties of the WebApp1 application pool.
D. Modify the properties of the Web1 website.

Answer: A
Explanation:
Independent managed service accounts that were introduced in Windows Server 2008 R2 and
Windows 7 are managed domain accounts that provide an automatic password management and
simplified management of SPN (Service Principal Names SPNs) - including delegation of
management to other administrators.

The Group managed service account provides the same functions within the domain, but this also
is expanding to multiple servers. When connecting with a service that is hosted in a server farm
(for example, a Network Load Balancing), the authentication protocols require with mutual
authentication, that all instances of services use the same principal. If group managed service
accounts can be used as a service principals, the password for the account from the Windows
operating system is managed, rather than leaving the password keeper the Administrator.

The Microsoft Key Distribution Service ("kdssvc.dll") provides the mechanism for secure retrieval
of current key or a certain key ready for an Active Directory account with a key ID. This service is
new in Windows Server 2012 and can not run on older versions of the Windows Server operating
system. From the key distribution service secret information to create keys for the account are
provided. These keys are changed regularly. In one group managed service account to the
Windows Server 2012 domain controller calculates the password for the key specified by the Key
Distribution Service - just like any other attributes of the group managed service account. Current
and older password values can be 8-member hosts accessed by contacting a Windows Server
2012 domain controller of Windows Server 2012- and Windows.

Group Managed Service Accounts provide a single identity solution for services that are running
on a server farm or on systems behind a Network Load Balancing. By providing a solution for
group managed service accounts (groups-MSA solution) services for the new group MSA
principal can be configured, while the password manager of Windows is handled. When using a
group managed service account must be managed by services or service administrators no
password synchronization between service instances become. The group managed service
account supported hosts that are offline for an extended period, as well as the managing member
of hosts for all instances of a service.

So you can deploy a server farm that supports a single identity, with respect to the can
authenticate existing client computer without knowing with which instance of the service a

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 267
http://www.braindump2go.com
connection is established. It is most likely that the service account gMSA1 only the name
web1.contoso contains .de as registered SPN. To ensure that Kerberos authentication works
even when use of the name myweb.certbase.de, must match the service account name
myweb.certbase.de be added as additional SPN. This is possible by editing the account
Properties or by using the Set-ADServiceAccount.

QUESTION 284
Your network contains an Active Directory domain named contoso.com. Domain controllers run
either Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 R2.
You have a Password Settings object (PSOs) named PSO1.
You need to view the settings of PSO1.
Which tool should you use?

A. Active Directory Administrative Center


B. Get-ADAccountResultantPasswordReplicationPolicy
C. Local Security Policy
D. Get-ADDomainControllerPasswordReplicationPolicy

Answer: A
Explanation:
Up until now, PSOs were created with the ADSI Edit application or PowerShell. Now, we can use
the Active Directory Administrative Center.
Note:
* Password Setting Object (PSO) is another name for Fine Grain Password Policies. These PSOs
allowed us to set up a different password policy based on security group membership.
* Storing fine-grained password policies
Windows Server 2008 includes two new object classes in the Active Directory Domain Services
(AD DS) schema to store fine-grained password policies:
/ Password Settings Container
/ Password Settings
The Password Settings Container (PSC) object class is created by default under the System
container in the domain. It stores the Password Settings objects (PSOs) for that domain. You
cannot rename, move, or delete this container.

QUESTION 285
Your network contains an Active Directory domain named contoso.com. The domain contains a
file server named Server1 that runs Windows Server 2012 R2. Server1 has a share named
Share1.
When users without permission to Share1 attempt to access the share, they receive the Access
Denied message as shown in the exhibit. (Click the Exhibit button.)

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 268
http://www.braindump2go.com
You deploy a new file server named Server2 that runs Windows Server 2012 R2.
You need to configure Server2 to display the same custom Access Denied message as Server1.
What should you install on Server2?

A. The Remote Assistance feature


B. The File Server Resource Manager role service
C. The Enhanced Storage feature
D. The Storage Services server role

Answer: B
Explanation:
We need to install the prerequisites for Access-Denied Assistance.
Because Access-Denied Assistance relies up on e-mail notifications, we also need to configure
each relevant file server with a Simple Mail Transfer Protocol (SMTP) server address. Let's do
that quickly with Windows PowerShell:
Set-FSRMSetting -SMTPServer mailserver.nuggetlab.com -AdminEmailAddress
[email protected] -FromEmailAddress [email protected]
You can enable Access-Denied Assistance either on a per-server basis or centrally via Group
Policy. To my mind, the latter approach is infinitely preferable from an administration standpoint.
Create a new GPO and make sure to target the GPO at your file servers' Active Directory
computer accounts as well as those of your AD client computers. In the Group Policy Object
Editor, we are looking for the following path to configure Access-Denied Assistance:
\Computer Configuration\Policies\Administrative Templates\System\Access-Denied Assistance

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 269
http://www.braindump2go.com
The Customize message for Access Denied errors policy, shown in the screenshot below,
enables us to create the actual message box shown to users when they access a shared file to
which their user account has no access.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 270
http://www.braindump2go.com
What's cool about this policy is that we can "personalize" the e-mail notifications to give us
administrators (and, optionally, file owners) the details they need to resolve the permissions issue
quickly and easily.
For instance, we can insert pre-defined macros to swap in the full path to the target file, the
administrator e-mail address, and so forth. See this example:
Whoops! It looks like you're having trouble accessing [Original File Path]. Please click Request
Assistance to send [Admin Email] a help request e-mail message. Thanks!
You should find that your users prefer these human-readable, informative error messages to the
cryptic, non-descript error dialogs they are accustomed to dealing with.
The Enable access-denied assistance on client for all file types policy should be enabled to force
client computers to participate in Access-Denied Assistance. Again, you must make sure to target
your GPO scope accordingly to "hit" your domain workstations as well as your Windows Server
2012 file servers.
Testing the configuration
This should come as no surprise to you, but Access-Denied Assistance works only with Windows
Server 2012 and Windows 8 computers. More specifically, you must enable the Desktop
Experience feature on your servers to see Access-Denied Assistance messages on server
computers.
When a Windows 8 client computer attempts to open a file to which the user has no access, the
custom Access-Denied Assistance message should appear:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 271
http://www.braindump2go.com
If the user clicks Request Assistance in the Network Access dialog box, they see a secondary
message:

At the end of this process, the administrator(s) will receive an e-mail message that contains the
key information they need in order to resolve the access problem:
The user's Active Directory identity
The full path to the problematic file
A user-generated explanation of the problem
So that's it, friends! Access-Denied Assistance presents Windows systems administrators with an
easy-to-manage method for more efficiently resolving user access problems on shared file
system resources. Of course, the key caveat is that your file servers must run Windows Server
2012 and your client devices must run Windows 8, but other than that, this is a great technology
that should save admins extra work and end-users extra headaches.
http://4sysops.com/archives/access-denied-assistance-in-windows-server-2012/

QUESTION 286
Your network contains an Active Directory domain named contoso.com.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 272
http://www.braindump2go.com
All domain controllers run Windows Server 2012 R2.
Administrators use client computers that run Windows 8 to perform all management tasks.
A central store is configured on a domain controller named DC1.
You have a custom administrative template file named App1.admx. App1.admx contains
application settings for an application named Appl.
From a client computer named Computer1, you create a new Group Policy object (GPO) named
GPO1.
You discover that the application settings for App1 fail to appear in GPO1.
You need to ensure that the App1 settings appear in all of the new GPOs that you create.
What should you do?

A. Copy App1.admx to \\Contoso.com\SYSVOL\Contoso.com\Policies\PolicyDefinitions\


B. From the Default Domain Controllers Policy, add App1.admx to the Administrative Templates.
C. From the Default Domain Policy, add App1.admx to the Administrative Templates
D. Copy App1.admx to \\Contoso.com\SYSVOL\Contoso.com\StarterGPOs.

Answer: A
Explanation:
To take advantage of the benefits of . admx files, you must create a Central Store in the SYSVOL
folder on a domain controller. The Central Store is a file location that is checked by the Group
Policy tools. The Group Policy tools use any . admx files that are in the Central Store. The files
that are in the Central Store are later replicated to all domain controllers in the domain.

QUESTION 287
Your network contains an Active Directory domain named contoso.com.
All domain controllers run Windows Server 2012 R2.
One of the domain controllers is named DC1.
The DNS zone for the contoso.com zone is Active Directory-integrated and has the default
settings.
A server named Server1 is a DNS server that runs a UNIX-based operating system.
You plan to use Server1 as a secondary DNS server for the contoso.com zone.
You need to ensure that Server1 can host a secondary copy of the contoso.com zone.
What should you do?

A. From Windows PowerShell, run the Set-DnsServerPrimaryZone cmdlet and specify the contoso.com
zone as a target.
B. From DNS Manager, modify the Security settings of DC1
C. From DNS Manager, modify the Zone Transfers settings of the contoso.com zone.
D. From DNS Manager, modify the Advanced settings of DC1.

Answer: C
Explanation:
Bind might be a must on Unix, but so is enabling Zone Transfer for it to be able to work at all.
Default settings has it unmarked.

QUESTION 288
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs Windows Server 2012 R2 and has the Network Policy Server
role service installed.
You need to enable trace logging for Network Policy Server (NPS) on Server1.
Which tool should you use?

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 273
http://www.braindump2go.com
A. the Network Policy Server console
B. the Server Manager console
C. the tracert.exe command
D. the netsh.exe command

Answer: D
Explanation:
You can use log files on servers running Network Policy Server (NPS) and NAP client computers
to help troubleshoot NAP problems. Log files can provide the detailed information required for
troubleshooting complex problems.
You can capture detailed information in log files on servers running NPS by enabling remote
access tracing. The Remote Access service does not need to be installed or running to use
remote access tracing. When you enable tracing on a server running NPS, several log files are
created in %windir%\tracing.
The following log files contain helpful information about NAP:
IASNAP.LOG: Contains detailed information about NAP processes, NPS authentication, and NPS
authorization.
IASSAM.LOG: Contains detailed information about user authentication and authorization.
Membership in the local Administrators group, or equivalent, is the minimum required to enable
tracing. Review details about using the appropriate accounts and group memberships at Local
and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
To create tracing log files on a server running NPS
Open a command line as an administrator.
Type netshras set tr * en.
Reproduce the scenario that you are troubleshooting.
Type netshras set tr * dis.
Close the command prompt window.
http://technet.microsoft.com/en-us/library/dd348461%28v=ws.10%29.aspx

QUESTION 289
Hotspot Question
Your network contains an Active Directory forest named contoso.com. The forest contains a
single domain. The forest contains two Active Directory sites named Site1 and Site2.
You plan to deploy a read-only domain controller (RODC) named DC10 to Site2.
You pre- create the DC10 domain controller account by using Active Directory Users and
Computers.
You need to identify which domain controller will be used for initial replication during the
promotion of the RODC.
Which tab should you use to identify the domain controller? To answer, select the appropriate tab
in the answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 274
http://www.braindump2go.com
Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 275
http://www.braindump2go.com
QUESTION 290
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs Windows Server 2012 R2 and has the DNS Server server role
installed.
Server1 is configured to delete automatically the DNS records of client computers that are no
longer on the network. A technician confirms that the DNS records are deleted automatically from
the contoso.com zone.
You discover that the contoso.com zone has many DNS records for servers that were on the
network in the past, but have not connected to the network for a long time.
You need to set the time stamp for all of the DNS records in the contoso.com zone.
What should you do?

A. From DNS Manager, modify the Advanced settings from the properties of Server1
B. From Windows PowerShell, run the Set-DnsServerResourceRecordAging cmdlet
C. From DNS Manager, modify the Zone Aging/Scavenging Properties
D. From Windows PowerShell, run the Set-DnsServerZoneAging cmdlet.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 276
http://www.braindump2go.com
Answer: B
Explanation:
https://technet.microsoft.com/en-us/library/jj649936.aspx

QUESTION 291
Your network contains an Active Directory domain named contoso.com.
The domain contains a server named Server1 that runs Windows Server 2012 R2.
You enable and configure Routing and Remote Access (RRAS) on Server1.
You create a user account named User1.
You need to ensure that User1 can establish VPN connections to Server1.
What should you do?

A. Modify the members of the Remote Management Users group.


B. Add a RADIUS client.
C. Modify the Dial-in setting of User1.
D. Create a connection request policy.

Answer: C
Explanation:
Access permission is also granted or denied based on the dial-in properties of each user account.
http://technet.microsoft.com/en-us/library/cc772123.aspx

QUESTION 292
Your network contains an Active Directory domain named contoso.com.
All user accounts reside in an organizational unit (OU) named OU1. All of the users in the
marketing department are members of a group named Marketing. All of the users in the human
resources department are members of a group named HR.
You create a Group Policy object (GPO) named GPO1.
You link GPO1 to OU1. You configure the Group Policy preferences of GPO1 to add two
shortcuts named Link1 and Link2 to the desktop of each user.
You need to ensure that Link1 only appears on the desktop of the users in Marketing and that
Link2 only appears on the desktop of the users in HR.
What should you configure?

A. Security Filtering
B. WMI Filtering
C. Group Policy Inheritance
D. Item-level targeting

Answer: D
Explanation:
You can use item-level targeting to change the scope of individual preference items, so they
apply only to selected users or computers. Within a single Group Policy object (GPO), you can
include multiple preference items, each customized for selected users or computers and each
targeted to apply settings only to the relevant users or computers.
http://technet.microsoft.com/en-us/library/cc733022.aspx

QUESTION 293
Your network contains a single Active Directory domain named contoso.com.
All domain controllers run Windows Server 2012 R2.
The domain contains 400 desktop computers that run Windows 8 and 10 desktop computers that

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 277
http://www.braindump2go.com
run Windows XP Service Pack 3 (SP3).
All new desktop computers that are added to the domain run Windows 8.
All of the desktop computers are located in an organizational unit (OU) named OU1.
You create a Group Policy object (GPO) named GPO1.
GPO1 contains startup script settings. You link GPO1 to OU1.
You need to ensure that GPO1 is applied only to computers that run Windows XP SP3.
What should you do?

A. Create and link a WML filter to GPO1


B. Run the Set-GPInheritance cmdlet and specify the -target parameter.
C. Run the Set-GPLink cmdlet and specify the -target parameter.
D. Modify the Security settings of OU1.

Answer: A
Explanation:
WMI Filtering is used to get information of the system and apply the GPO on it with the condition
is met. Security filtering: apply a GPO to a specific group (members of the group)

QUESTION 294
Your network contains an Active Directory domain named contoso.com.
Network Policy Server (NPS) is deployed to the domain.
You plan to deploy Network Access Protection (NAP).
You need to configure the requirements that are validated on the NPS client computers.
What should you do?

A. From the Network Policy Server console, configure a network policy.


B. From the Network Policy Server console, configure a health policy.
C. From the Network Policy Server console, configure a Windows Security Health Validator
(WSHV) policy.
D. From a Group Policy object (GPO), configure the NAP Client Configuration security setting.
E. From a Group Policy object (GPO), configure the Network Access Protection Administrative
Templates setting.

Answer: C
Explanation:
The settings of the Windows Security Health verification. The client computer requirements are
defined, of which a connection to your network is established Windows Security Health Checks
can Windows be created 7 and Windows Vista for Windows XP or for Windows 8. Guidelines for
Windows XP does not support testing of Antispywarefuntkionen.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 278
http://www.braindump2go.com
QUESTION 295
Your network contains an Active Directory domain named adatum.com.
The domain contains a server named Server1 that runs Windows Server 2012 R2.
Server1 is configured as a Network Policy Server (NPS) server and as a DHCP server.
The network contains two subnets named Subnet1 and Subnet2.
Server1 has a DHCP scope for each subnet.
You need to ensure that noncompliant computers on Subnet1 receive different network policies
than noncompliant computers on Subnet2.
Which two settings should you configure? (Each correct answer presents part of the solution.
Choose two.)

A. The NAP-Capable Computers conditions


B. The NAS Port Type constraints
C. The Health Policies conditions
D. The MS-Service Class conditions
E. The Called Station ID constraints

Answer: CD
Explanation:
The network contains two subnets named Subnet1 and Subnet2. Server1 has a DHCP
scope for each subnet.
The MS-Service Class conditions can be used to identify DHCP scope, i.e subnet,
The MS-Service Class = DHCP > Network access protection tab > Use custom profile > Profile
Name
You need to create health policy :
Noncompliant health policy for NonCompliant computers.
At first, you need to create health policy for noncompliant computers :

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 279
http://www.braindump2go.com
Right-click Health Policies, and then click New.
On the Create New Health Policy dialog box, under Policy Name, type Noncompliant.
Under Client SHV checks, select Client fails one or more SHV checks.
Under SHVs used in this health policy, select the Windows Security Health Validator check box,
and then click OK.
More info : https://technet.microsoft.com/en-us/library/dd441008.aspx
Than you can create two network policies based on those two health policies and MS-Service
Class conditions
Network policy 1 = MS-Service Class (Profile name) for subnet1 + Health policy for NonCompliant
computers.
Network policy 2 = MS-Service Class (Profile name) for subnet2 + Health policy for NonCompliant
computers.
Network policy :
Network policy > Conditions tab > Health policy condition + MS-service class condition.
In the NPS management console, in the tree, right-click Network Policies, and then click New.
In the Specify Network Policy Name and Connection Type window, in the Policy name box, type
Noncompliant, and then click Next.
In the Specify Conditions window, click Add.
On the Select condition dialog box, double-click Health Polices.
On the Health Policies dialog box, under Health policies, select Noncompliant, and then click OK.
In the Specify Conditions window, under Conditions, verify that Health Policy is specified with a
value of Noncompliant, and then click Next.
If you want to configure the MS-Service Class condition, click MS-Service Class, and then click
Add. In Specify the profile name that identifies your DHCP scope,
type the name of an existing DHCP profile, and then click Add.

QUESTION 296
Your network contains an Active Directory domain named contoso.com.
The functional level of the forest is Windows Server 2008 R2.
Computer accounts for the marketing department are in an organizational unit (OU) named
Departments\Marketing\Computers.
User accounts for the marketing department are in an OU named Departments\Marketing\Users.
All of the marketing user accounts are members of a global security group named
MarketingUsers. All of the marketing computer accounts are members of a global security group
named MarketingComputers.
In the domain, you have Group Policy objects (GPOs) as shown in the exhibit. (Click the Exhibit
button.)

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 280
http://www.braindump2go.com
You create two Password Settings objects named PSO1 and PSO2.
PSO1 is applied to MarketingUsers. PSO2 is applied to MarketingComputers.
The minimum password length is defined for each policy as shown in the following table.

You need to identify the minimum password length required for each marketing user.
What should you identify?

A. 5
B. 6

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 281
http://www.braindump2go.com
C. 7
D. 10
E. 12

Answer: D

QUESTION 297
Your network contains an Active Directory domain named adatum.com.
You need to audit changes to the files in the SYSVOL shares on all of the domain controllers.
The solution must minimize the amount of SYSVOL replication traffic caused by the audit.
Which two settings should you configure? (Each correct answer presents part of the solution.
Choose two.)

A. Audit Policy\Audit system events


B. Advanced Audit Policy Configuration\DS Access
C. Advanced Audit Policy Configuration\Global Object Access Auditing
D. Audit Policy\Audit object access
E. Audit Policy\Audit directory service access
F. Advanced Audit Policy Configuration\Object Access

Answer: DF
Explanation:
Here object access must be monitored on the share \\contoso.local\ ysvol. This is possible on
general audit policy and the Advanced Audit Policy Configuration.
The nine basic audit policies under Computer Configuration \ Policies \ Windows Settings \
Security Settings \ Local Policies \ Audit Policy allow you to configure security monitoring
policy settings for various behavior of which generate some much more audit events than others.
An administrator must review all generated events, regardless of whether they are of interest or
not. Starting with Windows Server 2008 R2 and Windows 7 can monitor the client behavior on the
computer or on the network targeted administrators, so that it is easier for them to abnormalities
faster identify.
For example, there are under Computer Configuration \ Policies \ Windows Settings \
Security Settings \ Local Policies \ Audit Policy only one policy setting for logon events: Audit
logon events.
Under Computer Configuration \ Policies \ Windows Settings \ Security Settings \
Advanced Audit Policy Configuration \ System Audit Policies, you can instead select the
category logon / logoff eight different policy settings.
In this way you can control the aspects of logon and logoff you can track precisely.

QUESTION 298
Your network contains multiple Active Directory sites.
You have a Distributed File System (DFS) namespace that has a folder target in each site.
You discover that some client computers connect to DFS targets in other sites.
You need to ensure that the client computers only connect to a DFS target in their respective site.
What should you modify?

A. The properties of the Active Directory sites


B. The properties of the Active Directory site links
C. The delegation settings of the namespace
D. The referral settings of the namespace

Answer: D

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 282
http://www.braindump2go.com
Explanation:
When a user accesses a namespace root or DFS folder with targets, the client computer receives
an ordered list of servers or locations. This list is called a reference. Upon receipt of the reference
to the computer attempts to access the first server in the list. If the server is not available, an
attempt is made by the client computer to access the next server.
If a server is unavailable, you can configure clients to fail back to the preferred server is running,
as soon as it is available again. By default, targets are set within the client's site on the first digits
of the sorted list.
Then, the following entries for servers in other locations, which can be arranged by different
sorting methods If only the folder targets are approved within the client site, the sorting method
can exclude targets outside of the client site to be selected.
The figure illustrates the configuration options:

http://www.windowsnetworking.com/articles_tutorials/Configuring-DFS-Namespaces.html

QUESTION 299
Your network contains an Active Directory domain named contoso.com.
The domain contains a domain controller named DC1 that runs Windows Server 2012.
You have a Group Policy object (GPO) named GPO1 that contains several custom Administrative
templates.
You need to filter the GPO to display only settings that will be removed from the registry when the
GPO falls out of scope. The solution must only display settings that are either enabled or disabled
and that have a comment.
How should you configure the filter? To answer, select the appropriate options below. Select
three.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 283
http://www.braindump2go.com
A. Set Managed to: Yes
B. Set Managed to: No
C. Set Managed to: Any
D. Set Configured to: Yes
E. Set Configured to: No
F. Set Configured to: Any
G. Set Commented to: Yes
H. Set Commented to: No
I. Set Commented to: Any

Answer: ADG
Explanation:
"I change the Set Configured to: any to yes"

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 284
http://www.braindump2go.com
(Only configured have the choice enabled or disabled)

QUESTION 300
Your network contains an Active Directory domain named adatum.com.
The domain contains five servers. The servers are configured as shown in the following table.

All desktop computers in adatum.com run Windows 8 and are configured to use BitLocker Drive
Encryption (BitLocker) on all local disk drives.
You need to deploy the Network Unlock feature.
The solution must minimize the number of features and server roles installed on the network.
To which server should you deploy the feature?

A. Server3
B. Server1
C. DC2
D. Server2
E. DC1

Answer: B
Explanation:
The BitLocker-NetworkUnlock feature must be installed on a Windows Deployment Server (which
does not have to be configured--the WDSServer service just needs to be running).

QUESTION 301
Your network contains an Active Directory domain named contoso.com.
All domain controllers run Windows Server 2012.
You pre-create a read-only domain controller (P.QDC) account named RODC1.
You export the settings of RODC1 to a file named Filel.txt.
You need to promote RODC1 by using File1.txt.
Which tool should you use?

A. The Install-WindowsFeature cmdlet


B. The Add-WindowsFeature cmdlet
C. The Dism command

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 285
http://www.braindump2go.com
D. The Install-ADDSDomainController cmdlet
E. the Dcpromo command

Answer: E
Explanation:
Dcpromo.exe deprecated in Windows Server 2012 Design.
You can use it for unattended installations but still.
If you're in Windows Server 2012 "dcpromo.exe" run (with no parameters) from a command
prompt, you will be redirected via a message to Server Manager, where Active Directory Domain
Services with the wizard can install the Add Roles.
If you /dcpromo unattend run from a command prompt, you can still perform automatic
installations with Dcpromo.exe.
So organizations can continue to use automated installation routines with dcpromo.exe for Active
Directory Domain Services (AD DS), to write these routines with new Windows PowerShell.

QUESTION 302
You deploy a windows Server Update (WSUS) server named Server01.
You need to ensure that you can view update reports and computer reports on server01.
Which two components should you install? Each correct answer presents part of the solution.

A. Microsoft Report Viewer 2008 Redistributable Package


B. Microsoft .Net Framework 2.0
C. Microsoft SQL Server 2008 R2 Builder 3.0
D. Microsoft XPS Viewer
E. Microsoft SQL Server 2012 reporting Services (SSRS)

Answer: AB
Explanation:
The Microsoft Report Viewer 2008 Redistributable Package includes Windows Forms and
ASP.NET Web server controls for viewing reports that have been created for the Microsoft
reporting technology.
The Windows Server Update Services (WSUS) require the .Net Framework 2.0 and this
extension to display the reports. To distribute updates of the extension is not needed. In the later
installation of a subsequent restart of the management console is required.

QUESTION 303
You deploy a windows Server Update (WSUS) server named Server01.
You need to prevent the WSUS service on Server01 from being updated automatically.
What should you do from the update service console?

A. From the Product and Classification options, modify the Products setting.
B. From the Automatic Approvals options, modify the Advanced settings.
C. From the Product and Classification options, modify the Classifications setting.
D. From the Automatic Approvals options, modify the Default Automatic Approval rule.

Answer: B

QUESTION 304
You have a group managed Service Account name Account01.
Only three servers named Server01, Server02 and Server03 are allowed to use Account01
service account.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 286
http://www.braindump2go.com
You plan to decommission Server01.
You need to prevent Server01 from using the Account01 service account.
The solution must ensure that Server02 and Server03 continue to use the Account01 service
account.
What command should you run? To answer, select the appropriate options in the answer area.

Answer Area
Account01 Remove-ADServiceAccount -DNSHostName
Server01 Reset-ADServiceAccount -PrincipalsAllowedToReteriveMamagedPassword
Server01$ Set-ADServiceAccount -SAMAccountNAme Server02,Server03 -Server
Server02$,Server03$

Answer: Account01 Remove-ADServiceAccount -DNSHostName

QUESTION 305
Note: This Question is part of series of question that use the same or similar answer choices.
An answer choice may be correct for more than one question in the series. Each question is
independent of the other questions in the series. Information and detailed provided in a question
apply only to that question.
You network contains one Active Directory domain named contoso.com.
The forest functional level is Windows Server 2012.
All servers run Windows Server 2012 R2. All client computer run Windows 8.1.
The domain contains 10 domain controllers and a read-only domain controller (RODC) named
RODC01. All domain controllers and RODCs are hosted on a Hyper-V host that runs Windows
Server 2012 R2.
You need to identify which domain controller must be online when cloning a domain controller.
Which cmdlet should you use?

A. Get-ADGroupMember
B. Get-ADDomainControllerPasswordReplicationPolicy
C. Get-ADDomainControllerPasswordReplicationPolicyUsage
D. Get-ADDomain
E. Get-ADOptionalFeature
F. Get-ADAccountAuthorizationGroup
G. Get-ADAuthenticationPolicySlio
H. Get-ADAuthenticationPolicy

Answer: D
Explanation:
One requirement for cloning a domain controller is an existing Windows Server 2012 DC that
hosts the PDC emulator role. You can run the Get-ADDomain and retrieve which server has the
PDC emulator role.
Example: Command Prompt: C:\PS>
Get-ADDomain
Output wouldinclude a line such as: PDCEmulator : Fabrikam-DC1.Fabrikam.com
Incorrect:
Not A: The Get-ADGroupMember cmdlet gets the members of an Active Directory group.
Members can be users, groups, and computers.
Not E: The Get-ADOptionalFeature cmdlet gets an optional feature or performs a search to
retrieve multiple optional features from an Active Directory. Not F: The Get-ADAuthorizationGroup
cmdlet gets the security groups from the specified user, computer or service accounts token.
Reference: Step-by-Step: Domain Controller Cloning
http://blogs.technet.com/b/canitpro/archive/2013/06/12/step-by-step-domain-controller-
cloning.aspx

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 287
http://www.braindump2go.com
Reference: Get-ADDomain
https://technet.microsoft.com/en-us/library/ee617224.aspx

QUESTION 306
Note: This Question is part of series of question that use the same or similar answer choices.
An answer choice may be correct for more than one question in the series. Each question is
independent of the other questions in the series. Information and detailed provided in a question
apply only to that question.
You network contains one Active Directory domain named contoso.com.
The forest functional level is Windows Server 2012.
All servers run Windows Server 2012 R2. All client computer run Windows 8.1.
The domain contains 10 domain controllers and a read-only domain controller (RODC) named
RODC01. All domain controllers and RODCs are hosted on a Hyper-V host that runs Windows
Server 2012 R2.
You need to identify whether deleted objects can be recovered from the Active Directory Recycle
Bin.
Which cmdlet should you use?

A. Get-ADGroupMember
B. Get-ADDomainControllerPasswordReplicationPolicy
C. Get-ADDomainControllerPasswordReplicationPolicyUsage
D. Get-ADDomain
E. Get-ADOptionalFeature
F. Get-ADAccountAuthorizationGroup
G. Get-ADAuthenticationPolicySlio
H. Get-ADAuthenticationPolicy

Answer: E
Explanation:
The Get-ADOptionalFeature cmdlet gets an optional feature or performs a search to retrieve
multiple optional features from an Active Directory.
Example: Get-ADOptionalFeature 'Recycle Bin Feature' Get the optional feature with the name
'Recycle Bin Feature'.
Reference: Get-ADOptionalFeature
https://technet.microsoft.com/en-us/library/ee617218.aspx

QUESTION 307
Note: This Question is part of series of question that use the same or similar answer choices.
An answer choice may be correct for more than one question in the series. Each question is
independent of the other questions in the series. Information and detailed provided in a question
apply only to that question.
You network contains one Active Directory domain named contoso.com.
The forest functional level is Windows Server 2012.
All servers run Windows Server 2012 R2. All client computer run Windows 8.1.
The domain contains 10 domain controllers and a read-only domain controller (RODC) named
RODC01. All domain controllers and RODCs are hosted on a Hyper-V host that runs Windows
Server 2012 R2.
You need to identify whether the members of the protected Users group will be prevented from
authenticating by using NTLM.
Which cmdlet should you use?

A. Get-ADGroupMember

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 288
http://www.braindump2go.com
B. Get-ADDomainControllerPasswordReplicationPolicy
C. Get-ADDomainControllerPasswordReplicationPolicyUsage
D. Get-ADDomain
E. Get-ADOptionalFeature
F. Get-ADAccountAuthorizationGroup
G. Get-ADAuthenticationPolicySlio
H. Get-ADAuthenticationPolicy

Answer: D

QUESTION 308
Note: This Question is part of series of question that use the same or similar answer choices.
An answer choice may be correct for more than one question in the series. Each question is
independent of the other questions in the series. Information and detailed provided in a question
apply only to that question.
You network contains one Active Directory domain named contoso.com.
The forest functional level is Windows Server 2012.
All servers run Windows Server 2012 R2.
All client computer run Windows 8.1.
The domain contains 10 domain controllers and a read-only domain controller (RODC) named
RODC01. All domain controllers and RODCs are hosted on a Hyper-V host that runs Windows
Server 2012 R2.
You need to identify which user accounts were authenticated by RODC1.
Which cmdlet should you use?

A. Get-ADGroupMember
B. Get-ADDomainControllerPasswordReplicationPolicy
C. Get-ADDomainControllerPasswordReplicationPolicyUsage
D. Get-ADDomain
E. Get-ADOptionalFeature
F. Get-ADAccountAuthorizationGroup
G. Get-ADAuthenticationPolicySlio
H. Get-ADAuthenticationPolicy

Answer: C
Explanation:
https://technet.microsoft.com/en-us/library/ee617194.aspx

QUESTION 309
Your Company is testing DirectAccess on Windows Server 2012 R2. Users report that when they
connect to the corporate network by using DirectAccess, access to Internet websites and Internet
hosts is slow. The users report that when they disconnect from DirectAccess, acces to the
internet websites and the internet hosts is much faster.
You need to identify the most likely cause of the performance issue.
What should you identify?

A. DirectAccess uses a self-signed certificate.


B. The corporate firewall blocks TCP port 8080.
C. Force tunneling is enabled.
D. The DNS suffix list is empty

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 289
http://www.braindump2go.com
Answer: C
Explanation:
If Direct Access is configured for Force tunneling, compounds of the DirectAccess client to the
internal network and the Internet via the remote access server are routed. The "detour" via the
company network, can slow down access to websites and hosts on the Internet.

QUESTION 310
Your network contains one Active Directory domain named contoso.com. The domain contains a
file server named Server01 that runs Windows Server 2012 R2. Server01 has an operating
system drive and a data drive. Server01 has a trusted Platform Module (TPM).
Which cmdlet should you run first?

A. Enable-TPMAutoProvisioning
B. Unblock-TPM
C. Install-WindowsFeature
D. Lock-BitLocker

Answer: C
Explanation:
The Windows feature BitLocker Drive Encryption is not installed by default. The following call
installs the feature with all its components and management tools: Install Windows feature
BitLocker -IncludeAllSubFeature -IncludeManagementTools

QUESTION 311
You have the following Windows PowerShell output.

You need to create a Managed service Account.


What should you do?

A. Run Set-KDSConfiguration and then run New-ADServiceAccount -Name “service01” -


DNSHostName service01.contoso.com
B. Run New-AuthenticationPolicySilo, and then run New-ADServiceAccount -Name
“service01” –DNSHostName service01.contoso.com.
C. Run Add-KDSRootKey, and then run New-ADServiceAccount -Name “service01”
-DNSHostName service01.contoso.com.
D. Run New-ADServiceAccount - Name “service01” - DNSHostName service01.contoso.com -
SAMAccountName service01.

Answer: C
Explanation:
From the exhibit we see that the required key does not exist. First we create this key, then we
create the managed service account.
The Add-KdsRootKey cmdlet generates a new root key for the Microsoft Group Key Distribution
Service (KdsSvc) within Active Directory (AD). The Microsoft Group KdsSvc generates new group

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 290
http://www.braindump2go.com
keys from the new root key.
The New-ADServiceAccount cmdlet creates a new Active Directory managed service account.
Reference: New-ADServiceAccount
https://technet.microsoft.com/en-us/library/hh852236(v=wps.630).aspx
Reference: Add-KdsRootKey
https://technet.microsoft.com/en-us/library/jj852117(v=wps.630).aspx

QUESTION 312
Hotspot Question
Your network contains an Active Directory domain named adatum.com.
The domain contains a server named Server1.
Your company implements DirectAccess.
A user named User1 works at a customer's office.
The customer's office contains a server named Server1.
When User1 attempts to connect to Server1, User1 connects to Server1 in adatum.com.
You need to provide User1 with the ability to connect to Server1 in the customer's office.
Which Group Policy option should you configure? To answer, select the appropriate option in the
answer area.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 291
http://www.braindump2go.com
QUESTION 313
Hotspot Question
Your network contains a DNS server named Server1. Server1 hosts a DNS zone for
contoso.com.
You need to ensure that DNS clients cache records from contoso.com for a maximum of one
hour.
Which value should you modify in the Start of Authority (SOA) record? To answer, select the
appropriate setting in the answer area.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 292
http://www.braindump2go.com
QUESTION 314
Your network contains two Active Directory forests named contoso.com and adatum.com.
All domain controllers run Windows Server 2012 R2.
The adatum.com domain contains a Group Policy object (GPO) named GPO1.
An administrator from adatum.com backs up GPO1 to a USB flash drive.
You have a domain controller named dc1.contoso.com.
You insert the USB flash drive in dc1.contoso.com.
You need to identify the domain-specific reference in GPO1.
What should you do?

A. From the Migration Table Editor, click Populate from Backup.


B. From Group Policy Management, run the Group Policy Modeling Wizard.
C. From Group Policy Management, run the Group Policy Results Wizard.
D. From the Migration Table Editor, click Populate from GPO.

Answer: A
Explanation:
https://technet.microsoft.com/en-us/library/cc779961(v=ws.10).aspx

QUESTION 315
Your network contains 25 Web servers that run Windows Server 2012 R2.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 293
http://www.braindump2go.com
You need to configure auditing policies that meet the following requirements:

- Generate an event each time a new process is created.


- Generate an event each time a user attempts to access a file share.

Which two auditing policies should you configure? To answer, select the appropriate two auditing
policies in the answer area.

A. Audit access management (Not Defined)


B. Audit directory service access (Not Defined)
C. Audit logon events (Not Defined)
D. Audit object access(Not Defined)
E. Audit policy change(Not Defined)
F. Audit privilege use (Not Defined)
G. Audit process tracking (Not Defined)
H. Audit system events(Not Defined)

Answer: DG
Explanation:
* Audit Object Access
Determines whether to audit the event of a user accessing an object (for example, file, folder,
registry key, printer, and so forth) which has its own system access control list (SACL) specified.
* Audit Process Tracking
Determines whether to audit detailed tracking information for events such as program activation,
process exit, handle duplication, and indirect object access.
Reference: Audit object access
https://technet.microsoft.com/en-us/library/cc976403.aspx
Reference: Audit Process Tracking
https://technet.microsoft.com/en-us/library/cc976411.aspx

QUESTION 316
You have two Windows Server Update Services (WSUS) servers named Server01 and Server02.
Server01 synchronizes from Microsoft Update. Server02 synchronizes updates from Server01.
Both servers are members of the same Active Directory domain.
You configure Server01 to require SSL for all WSUS metadata by using a certificate issued by an
enterprise root certification authority (CA).
You need to ensure that Server02 synchronizes updates from Server01.
What should you do on Server02?

A. From a command prompt, run wsusutil.exe configuresslproxy server02 443.


B. From a command prompt, run wsusutil.exe configuressl server01.
C. From a command prompt, run wsusutil.exe configuresslproxy server01 443.
D. From the Update Services console, modify the Update Source and Proxy Server options.

Answer: D

QUESTION 317
Your network contains one Active Directory domain named contoso.com.
The forest functional level is Windows Server 2012. All servers run Windows Server 2012 R2.
All client computers run Windows 8.1.
The domain contains 10 domain controllers and a read-only domain controller (RODC) named
RODC01. All domain controllers and RODCs are hosted on a Hyper-V host that runs Windows

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 294
http://www.braindump2go.com
Server 2012 R2.
You need to identify which security principals are authorized to have their password cached on
RODC1.
Which cmdlet should you use?

A. Get-ADGroupMember
B. Get-ADDomainControllerPasswordReplicationPolicy
C. Get-ADDomainControllerPasswordReplicationPolicyUsage
D. Get-ADDomain
E. Get-ADOptionalFeature
F. Get-ADAccountAuthorizationGroup
G. Get-ADAuthenticationPolicySlio
H. Get-ADAuthenticationPolicy

Answer: B

QUESTION 318
You have a group Managed Service Account named Service01.
Three servers named Server01, Server02, and Server03 currently use the Service01 service
account.
You plan to decommission Server01.
You need to remove the cached password of the Service01 service account from Server01.
The solution must ensure that Server02 and Server03 continue to use Service01.
Which cmdlet should you run?

A. Set-ADServiceAccount
B. Remove-ADServiceAccount
C. Uninstall-ADServiceAccount
D. Reset-ADServiceAccountPassword

Answer: B
Explanation:
The Remove-ADServiceAccount cmdlet removes an Active Directory service account.
This cmdlet does not make changes to any computers that use the service account.
After this operation, the service account is no longer hosted on the target computer but still exists
in the directory.
Incorrect:
Not C: The Uninstall-ADServiceAccount cmdlet removes an Active Directory service account on
the computer on which the cmdlet is run.
The specified service account must be installed on the computer.
Reference: Remove-ADServiceAccount
https://technet.microsoft.com/en-us/library/ee617190.aspx

QUESTION 319
Your network contains an Active Directory domain named adatum.com.
The domain contains 10 domain controllers that run Windows Server 2012 R2.
You plan to create a new Active Directory-integrated zone named contoso.com.
You need to ensure that the new zone will be replicated to only four of the domain controllers.
What should you do first?

A. Create an application directory partition.


B. Create an Active Directory connection object.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 295
http://www.braindump2go.com
C. Create an Active Directory site link.
D. Change the zone replication scope.

Answer: A
Explanation:
Application directory partitions
An application directory partition is a directory partition that is replicated only to specific domain
controllers. A domain controller that participates in the replication of a particular application
directory partition hosts a replica of that partition. Only domain controllers running Windows
Server 2003 can host a replica of an application directory partition.

QUESTION 320
Hotspot Question
Your network contains one Active Directory domain named contoso.com.
The domain contains 10 file servers that run Windows Server 2012 R2.
You plan to enable BitLocker Drive Encryption (BitLocker) for the operating system drives of the
file servers.
You need to configure BitLocker policies for the file servers to meet the following requirements:

- Ensure that all of the servers use a startup PIN for operating system
drives encrypted with BitLocker.
- Ensure that the BitLocker recovery key and recovery password are
stored in Active Directory.

Which two Group Policy settings should you configure? To answer, select the appropriate
settings in the answer area.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 296
http://www.braindump2go.com
Explanation:
https://technet.microsoft.com/en-us/library/jj679890.aspx#BKMK_rec1
https://technet.microsoft.com/en-us/library/jj679890.aspx#BKMK_unlockpol1

QUESTION 321
Your network contains one Active Directory domain named contoso.com.
From the Group Policy Management console, you view the details of a Group Policy object (GPO)
named GPO1.
You need to ensure that the comments field of GPO1 contains a detailed description of GPO1.
What should you do?

A. From Active Directory Users and Computers, edit the properties of


contoso.com/System/Policies/{229DCD27-9D98-ACC2-A6AE-ED765F065FF5}.
B. Open GPO1 in the Group Policy Management Editor, and then modify the properties of GPO1.
C. From Notepad, edit \\contoso.com\SYSVOL\
contoso.com\Policies\{229DCD27-9D98- ACC2-A6AE-ED765F065FF5}\gpt.ini.
D. From Group Policy Management, click View, and then click Customize.

Answer: B
Explanation:
Adding a comment to a Group Policy object Open the Group Policy Management Console.
Expand the Group Policy Objects node.
Right-click the Group Policy object you want to comment and then click Edit.
In the console tree, right-click the name of the Group Policy object and then click Properties .
Click the Comment tab.
Type your comments in the Comment box.
Click OK
Reference: Comment a Group Policy Object
https://technet.microsoft.com/en-us/library/cc770974.aspx

QUESTION 322
Your network contains an Active Directory domain named contoso.com.
The domain contains a server named Server1 that runs Windows Server 2008 R2.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 297
http://www.braindump2go.com
You plan to test Windows Server 2012 R2 by using native-boot virtual hard disks (VHDs).
You have a Windows image file named file1.wim.
You need to add an image of a volume to file1.wim.
What should you do?

A. Run imagex.exe and specify the /append parameter.


B. Run imagex.exe and specify the /export parameter.
C. Run dism.exe and specify the /image parameter.
D. Run dism.exe and specify the /append-image parameter.

Answer: D
Explanation:
The Deployment Image Servicing and Management (DISM) tool is a command-line tool that
enables the creation of Windows image (.wim) files for deployment in a manufacturing or
corporate IT environment. The /Append-Image option appends a volume image to an
existing .wim file allowing you to store many customized Windows images in a fraction of the
space. When you combine two or more Windows image files into a single .wim, any files that are
duplicated between the images are only stored once.
Incorrect:
Not A, Not B: Imagex has been retired and replaced by dism.
Reference: Append a Volume Image to an Existing Image Using DISM
https://technet.microsoft.com/en-us/library/hh824916.aspx

QUESTION 323
You have a server that runs Windows Server 2012 R2.
You have an offline image named Windows2012.vhd that contains an installation of Windows
Server 2012 R2.
You plan to apply several updates to Windows2012.vhd.
You need to mount Wmdows2012.vhd to D:\Mount.
Which tool should you use?

A. Server Manager
B. Device Manager
C. Mountvol
D. Dism

Answer: D
Explanation:
You can use the Deployment Image Servicing and Management (DISM) tool to mount a Windows
image from a WIM or VHD file.
Mounting an image maps the contents of the image to a directory so that you can service the
image using DISM without booting into the image.
You can also perform common file operations, such as copying, pasting, and editing on a
mounted image.
To apply packages and updates to a Windows Embedded Standard 7 image, we recommend
creating a configuration set and then using Deployment Imaging Servicing and Management
(DISM) to install that configuration set. Although DISM can be used to install individual updates to
an image, this method carries some additional risks and is not recommended.

QUESTION 324
Your network contains a domain controller named DC1 that runs Windows Server 2012 R2.
You create a custom Data Collector Set (DCS) named DCS1.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 298
http://www.braindump2go.com
You need to configure DCS1 to collect the following information:

- The amount of Active Directory data replicated between DC1 and the
other
domain controllers
- The current values of several registry settings
Which two should you configure in DCS1? (Each correct answer presents part of the solution.
Choose two.)

A. Event trace data


B. A performance counter alert
C. Configuration data collector
D. A performance counter

Answer: CD
Explanation:
Automatically run a program when the amount of total free disk space on Server1 drops below 10
percent of capacity.
You can also configure alerts to start applications and performance logs Log the current values of
several registry settings.
System configuration information allows you to record the state of, and changes to, registry keys.
Total free disk space

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 299
http://www.braindump2go.com
Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 300
http://www.braindump2go.com
Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 301
http://www.braindump2go.com
Registry settings

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 302
http://www.braindump2go.com
Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 303
http://www.braindump2go.com
Run a program on alert

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 304
http://www.braindump2go.com
Notes 2 :
The Windows Performance Monitor is an MMC snap-in (Microsoft Management Console), are
provided in the tools for analyzing system performance. From a central console, you can monitor
application and hardware performance in real-time, specify which data you want to collect in logs,
define thresholds for alerts and automatic actions, generate reports, and view older performance
data in several ways. With the Windows Performance Monitor data using data collector sets
collected and logged may include performance indicators, event trace data, and system
configuration information (registry key). Depending on the selected data collection types you
various dialog boxes to add data files to your collection rate.
- Performance indicators provide data about the system performance.
- Performance indicators warnings allow you to run certain actions when exceeding or falling

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 305
http://www.braindump2go.com
below certain thresholds.
- To log registry settings, system configuration information can be recorded in reports. However,
you must know the exact key that you want to include in the Data Collector Set.
- Event trace data provide information about activities and system events are available.
- The relevant indicators for measuring the replication traffic of the Active Directory Domain
Services, see the performance object directory service. There are several indicators to measure
incoming and outgoing bytes / s.
http://technet.microsoft.com/en-us/library/cc766404.aspx
http://technet.microsoft.com/en-us/library/cc766404.aspx

QUESTION 325
Your corporate network includes an Active Directory Domain Services (AD DS) domain
certbase.de named.
The domain contains a Windows Server 2012 R2 computer named Server3.
Server3 performs the role of Windows Deployment Services.
To use the Windows Deployment Services to distribute an image to a client computer that does
not support PXE boot.
Which image type you will add Server3?

A. An install image
B. A boot image
C. A discover image
D. A capture image

Answer: C
Explanation:
The main image types used in Windows Deployment Services are installation and boot images.
Install images
Install images are the operating system images that you deploy to the client computer. You can
use the default install image (install.wim) located on the DVD of Windows Vista or Windows
Server 2008 in the \ Sources directory.
You can also create custom install images from reference computers and deploy them to client
computers. First, you boot a computer (which has been prepared with Sysprep) into a capture
image. Then the capture image an install image of the computer is created.
Boot images
Boot images are the images with which you start a client computer before installing the operating
system image. The boot image presents a boot menu that contains the images that users can
install on their computers.
These images contain Windows PE 2.0 and the Windows Deployment Services client. You can
use the default boot image included in the \ Sources directory of the Windows Server 2008
installation media (boot.wim).
This file must be only in advanced scenarios (for example, if you must add the image driver) to be
changed. Important Only use the Boot.wim file on the Windows Server 2008 DVD.
If you boot.wim file to use on the Windows Vista DVD, you can not use all the functionality of
Windows Deployment Services (for example, multicasting). There are also two image types that
you can create from boot images:. Capture images and discover images.
Capture Images
Capture Images are boot images that allow the utility starts to record the Windows Deployment
Services in place of the setup. If a reference computer (which has been prepared with Sysprep)
start with a capture image, an install image of the reference computer is created and saved as a
WIM file with an assistant. You can also create a medium (eg, CD, DVD or USB drive) that
contains a capture image, and then boot a computer to the media. After you create the install
image, you can use the image for PXE boot deployment Add the server. These images provide
an alternative to command-line tool ImageX.exe.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 306
http://www.braindump2go.com
Discover images
Discover images search images are boot images, which is enforced by that Setup.exe in
Windows Deployment Services mode is started. Subsequently, a Windows Deployment Services
server will be searched.
These images are typically used to deploy images to computers that are not configured for PXE
or that are in networks where PXE is not allowed. If you create a discover image and apply it to
the medium (eg, CD, DVD or Save USB drive), you can then boot a computer to the media.
The discover image on the media of the Windows Deployment Services server will be searched.
The installation image is provided by the server for the computer. You can configure discover
images so that a specific Windows Deployment Services server is used as a target. This means
that you can create a discover image when a plurality of servers in your environment for each
server and then can name each based on the name of the server.

QUESTION 326
Your network contains an Active Directory domain named contoso.com.
The domain contains a domain controller named dcl.contoso.com.
You discover that the Default Domain Policy Group Policy objects (GPOs) and the Default
Domain Controllers Policy GPOs were deleted.
You need to recover the Default Domain Policy and the Default Domain Controllers Policy GPOs.
What should you run?

A. dcgpofix.exe /target:domain
B. gpfixup.exe /dc:dc1.contoso.com
C. dcgpofix.exe /target:both
D. gptixup.exe /oldnb:contoso /newnb:dc1

Answer: C
Explanation:
This command-line tool Dcgpofix there since Windows Server 2003. It allows the rebuild of the
two default Group Policy objects (GPOs) Default Domain Policy (DDP) and Default Domain
Controllers Policy (ddCDP) or is it the two GPOs to their default settings if you exist.
Parameter /Target specifies what you want to restore the two default GPOs. Here the self-
explanatory values are domain, DC or Both possible.
The command-line utility GPFixup resolves issues with references to domain names, which can
possibly occur during a domain rename.

QUESTION 327
Your network contains an Active Directory domain named contoso.com.
The domain contains more than 100 Group Policy objects (GPOs).
Currently, there are no enforced GPOs.
You need to provide an Administrator named Admin1 with the ability to create GPOs in the
domain. The solution must not provide Sarah with the ability to link GPOs.
What should you use?

A. dcgpofix
B. Get-GPOReport
C. Gpfixup
D. Gpresult
E. Gptedit.msc
F. Import-GPO
G. Restore-GPO
H. Set-GPInheritance

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 307
http://www.braindump2go.com
I. Set-GPLink
J. Set-GPPermission
K. Gpupdate
L. Add-ADGroupMember

Answer: L
Explanation:
We can run the add-ADGroupMember use and Sarah in the Default Domain Group Policy Creator
Owners record.
Members of this group can create and modify GPOs, but do not link.

QUESTION 328
Your network contains an Active Directory domain named contoso.com.
All client computers run Windows 8 Pro.
You have a Group Policy object (GPO) named GP1. GP1 is linked to the domain.
GP1 contains the Windows Internet Explorer 10 and 11 Internet Settings.
The settings are shown in the exhibit.

Users report that when they open Windows Internet Explorer, the home page is NOT set to http://
www.contoso.com.
You need to ensure that the home page is set to http://www.contoso.com the next time users log

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 308
http://www.braindump2go.com
on to the domain.
What should you do?

A. On each client computer, run gpupdate.exe.


B. Open the Internet Explorer 10 and 11 Internet Settings, and then press F5.
C. Open the Internet Explorer 10 and 11 Internet Settings, and then modify the Tabs settings.
D. On each client computer, run Invoke-GPupdate.

Answer: B
Explanation:
The Section Home on the tab General is marked with a red dashed line.
This indicates that the setting has the status of "not configured".
If you press while the dialog box is open, the F5 key is changing the red dotted line in a solid
green line, which "activates" corresponds to the policy status.
Configure the following key combinations the status of the settings of the current tab:
F5 - All settings activated (green)
F6 - A setting is enabled (green)
F7 - A setting is not configured (red)
F8 - All settings are not activated (red)

QUESTION 329
Your network contains an Active Directory domain named contoso.com.
The domain contains 30 organizational units (OUs).
You need to ensure that a user named User1 can link Group Policy Objects (GPOs) in the
domain.
What should you do?

A. From the Active Directory Users and Computers, add User1 to the Network Configuration
Operators group.
B. From the Group Policies Management, click the contoso.com node and modify the Delegation
settings.
C. From the Group Policies Management, click the Group policy Objects node and modify the
Delegation settings.
D. From the Active Directory Users and Computers, add User1 to the Group Policy Creator Owners
group.

Answer: B
Explanation:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 309
http://www.braindump2go.com
In addition to the administrators of a domain by default, members of the Group Policy Creator
Owners group the right to create group policies. If you want to enable users or groups to itself to
create GPOs, then there is a path on their inclusion in the Group Policy Creator Owners group.
However, since the introduction of the Group Policy Management, there are other and more
granular ways to delegate rights to manage GPOs. Thus, other groups or even individual users
can now be equipped with these privileges. For this purpose you open the Group Policy Objects
folder below the respective domain. Under the tab delegation is a list of all the groups and users
who have the right to create GPOs. The button can add additional users are granted this
privilege.
No matter how a user gets the right to create GPOs to, he may subsequently only edit or delete,
which he himself has created those. Denied him thus remains the possibility to change already
existing group policies or generally to link GPOs to an OU. For these tasks, users must be
authorized separately.
The right to link GPOs can a user, as described in answer B, be granted.

QUESTION 330
Your network contains an Active Directory domain named contoso.com.
All client computers run Windows 8.
Your company has users who work from home. Some of the home users have desktop
computers. Other home users have laptop computers.
All of the computers are joined to the domain.
All of the computer accounts are members of a group named Group1.
Currently, the home users access the corporate network by using a PPTP VPN.
You implement DirectAccess by using the default configuration and you specify Group1 as the
DirectAccess client group.
The home users who have desktop computers report that they cannot use DirectAccess to
access the corporate network.
The home users who have laptop computers report that they can use DirectAccess to access the
corporate network.
You need to ensure that the home users who have desktop computers can access the network by
using DirectAccess.
What should you modify?

A. The security settings of the computer accounts for the desktop computers
B. The membership of the RAS and IAS Servers group
C. The WMI filter for Direct Access Client Settings GPO

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 310
http://www.braindump2go.com
D. The conditions of the Connections to Microsoft Routing and Remote Access server policy

Answer: C
Explanation:
By default, the DirectAccess wizard DirectAccess prepared by applying a WMI filter on the GPO
for the client settings for all laptops and notebook computers in the domain.
To apply the settings of the GPOs for DirectAccess clients on all the group CBRemotecomputer
computer, we need to change or remove the WMI filter.

QUESTION 331
You have a Direct Access Server named Server1 running Server 2012.
You need to add prevent users from accessing websites from an Internet connection.
What should you configure?

A. Split Tunneling
B. Security Groups
C. Force Tunneling
D. Network Settings

Answer: C
Explanation:

If Direct Access is configured for Tunnelerzwingung, compounds of the DirectAccess client to the
internal network and the Internet via the remote access server are routed. In the corporate
network a proxy or a web filter can then be used, which blocks access to certain sites.
By default, the option is not enabled Tunnelerzwingung use.
The figure shows the default setting in the wizard for DirectAccess configuration:

QUESTION 332
Your network contains an Active Directory domain named contoso.com. The domain contains
three domain controllers. The domain controllers are configured as shown in the following table.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 311
http://www.braindump2go.com
You are creating a Distributed File System (DFS) namespace as shown in the exhibit.

You need to identify which configuration prevents you from creating a DFS namespace in
Windows Server 2008 mode.
Which configuration should you identify?

A. The location of the PDC emulator role


B. The functional level of the domain
C. The operating system on Server1 and Server3
D. The location of the RID master role

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 312
http://www.braindump2go.com
Answer: B
Explanation:
With DFS Namespaces (Distributed File System, Distributed File System) and the DFS
Replication is simplified, enabling highly available access to files, load balancing and WAN-
friendly replication. In the operating system Windows Server 2003 R2 Microsoft DFS
Namespaces has (formerly known as DFS) revised and renamed, the DFS Management snap-in
through the DFS Management snap-in replaces and introduced the new DFS Replication feature.
In the operating system Windows Server 2008 Windows Server 2008 mode for domain-based
namespaces as well as a number of improvements in terms of usability and performance have
been added. With the DFS technologies WAN-friendly (Wide Area Network) replication and
simplified, highly available access to geographically Distributed files allows. DFS includes these
two technologies:

DFS Namespaces Using DFS Namespaces You can shared folders located on different servers,
are grouped into one or more logically structured namespaces. Each namespace is displayed to
users as a single shared folder with a series of subfolders. With this structure, the availability is
increased, and for user connections to shared folders on the same Active Directory Domain
Services site are automatically prepared, if it is available. Users are therefore not routed over
WAN links.

DFS Replication DFS Replication is an efficient replication engine with multiple masters, with the
folders between servers via network connections with limited bandwidth can be continuously
synchronized. Thus, the FRS will File Replication Service (FRS) replaces a replication module for
DFS Namespaces and for replication of the AD DS SYSVOL folder in domains that use the
Windows Server 2008 domain functional level is used.

Domain-based namespaces in Windows Server 2008 mode


in Windows Server 2008 can domain-based namespaces in Windows Server 2008 mode are
created. This support for access-based enumeration and increased scalability is activated. The
2000 Server introduced in Windows domain-based namespace is now referred to as "domain-
based namespace (Windows 2000 Server mode)." To use the Windows Server 2008 mode, the
domain and the domain-based namespace must meet the following minimum requirements:
For the domain, the Windows Server 2008 domain functional level is used.
On all namespace servers running Windows Server of 2008.

QUESTION 333
On the DFS replication your receive a wrap error on the sysvol on domain controller 4.
Which 3 steps should you do to recover this error in the correct order?

A. Stop FSR
B. Start FSR
C. Edit the computer object in AD
D. Edit the registry
E. Stop DFSR
F. Start DFRS

Answer: ABD

QUESTION 12
Your network contains an Active Directory domain named contoso.com. The domain functional
level is Windows Server 2008. All domain controllers run Windows Server 2008 R2.
The domain contains a file server named Server1 that runs Windows Server 2012. Server1 has a

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 313
http://www.braindump2go.com
BitLocker Drive Encryption (BitLocker)-encrypted drive.
Server1 uses a Trusted Platform Module (TPM) chip.
You enable the Turn on TPM backup to Active Directory Domain Services policy setting by using
a Group Policy object (GPO).
You need to ensure that you can back up the BitLocker recovery information to Active Directory.
What should you do?

A. Raise the forest functional level to Windows Server 2008 R2.


B. Enable the Configure the level of TPM owner authorization information available to the operating
system policy setting and set the Operating system managed TPM authentication level to None.
C. Add a BitLocker data recovery agent.
D. Import the TpmSchemaExtension.ldf and TpmSchemaExtensionACLChanges.ldf schema
extensions to the Active Directory schema.

Answer: D

QUESTION 334
Your network contains an Active Directory domain named contoso.com.
The domain contains 2 WSUS servers, ServerA and ServerB.
ServerB is a replica server of ServerA.
You need to configure WSUS to report data from SERVERB to SERVERA.
What should you configure?

A. Update Reports
B. Synchronization
C. Computer Groups
D. Reporting Rollup

Answer: D

QUESTION 335
You are an admin. You have wsus with 2 sites which contain computers.
You want to have the ability to update the computers per site or together.
Which 3 steps do you do?

A. Create computer groups in wsus


B. Create synchronization options
C. Create GPO and configure updates
D. Under Tasks, click Synchronize now

Answer: ABC

QUESTION 336
Which of the options should you configure for a WDS pre-staged computer name?
You should select 2 of the 4 check boxes.

A. GUID o MAC-address preceding with nulls


B. WdsClientUnattend
C. Give the minimum required permission to a user who wants to promote a RODC.
D. ReferralServer

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 314
http://www.braindump2go.com
Answer: AC

QUESTION 337
You work as a network administrator at Lead2pass.com.
Lead2pass.com has an Active Directory Domain Services (AD DS) domain name
Lead2pass.com.
All servers in the Lead2pass.com domain have Microsoft Windows Server 2012 R2 installed.
The computer accounts for all file servers are located in an organizational unit (OU) named
DataOU. You are required to track user access to shared folders on the file servers.
Which of the following actions should you consider?

A. You should configure auditing of Account Logon events for the DataOU.
B. You should configure auditing of Object Access events for the DataOU.
C. You should configure auditing of Global Object Access Auditing events for the DataOU.
D. You should configure auditing of Directory Service Access events for the DataOU.
E. You should configure auditing of Privilege Use events for the DataOU.

Answer: B

QUESTION 338
You have installed Routing and Remote Access on Server1.
What should you configure next to use it as a NAT server?

A. Add New Interface


B. Create Static Route
C. Configure the IPv4 DHCP Relay Agent
D. Configure the IPv6 DHCP Relay Agent

Answer: A

QUESTION 339
Force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL

A. dfsgui.msc
B. ultrasound
C. rplmon
D. frsutil

Answer: C

QUESTION 340
How to give the minimum required permission to a user who wants to promote a RODC.

A. member of the Domain Admins group


B. allowed to attach the server to the RODC computer account
C. Local admin
D. organization admin

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 315
http://www.braindump2go.com
Answer: BC

QUESTION 341
Your network contains an Active Directory domain named contoso.com.
The domain contains a member server named Server1. Server1 has the Web Server (IIS) server
role installed.
On Server1, you install a managed service account named Service1.
You attempt to configure the World Wide Web Publishing Service as shown in the exhibit.

You receive the following error message:

"The account name is invalid or does not exist, or the password is


invalid for the account name specified."

You need to ensure that the World Wide Web Publishing Service can log on by using the
managed service account.
What should you do?

A. Specify contoso\service1$ as the account name.


B. Specify [email protected] as the account name.
C. Reset the password for the account.
D. Enter and confirm the password for the account.

Answer: A
Explanation:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 316
http://www.braindump2go.com
A managed service account is designed for service applications such as Internet Information
Services, SQL Server, or Exchange to provide the following.:

- Automatic password management, so that these services can be


separated from other services on the computer better.
- Simplified SPN management Service Principal Name (SPN) that allows
service administrators to set SPNs on these accounts. In addition, SPN
management can be delegated to other administrators.

Managed service accounts are created using PowerShell cmdlets and managed. The accounts
are identified by a dollar sign at the end of the login name. After the logon name is correct, the
settings are applied and the account will have the right to log on as a service given.

QUESTION 342
Your network contains an Active Directory domain named contoso.com. All domain controllers
run Windows Server 2008 R2. The domain contains three servers that run Windows Server 2012.
The servers are configured as shown in the following table.

Server1 and Server2 are configured in a Network Load Balancing (NLB) cluster.
The NLB cluster hosts a website named Web1 that uses an application pool named App1.
Web1 uses a database named DB1 as its data store.
You create an account named User1.
You configure User1, as the identity of App1.
You need to ensure that contoso.com domain users accessing Web1 connect to DB1 by using
their own credentials.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)

A. Configure the delegation settings of Server3.


B. Create a Service Principal Name (SPN) for User1.
C. Configure the delegation settings of User1.
D. Create a matching Service Principal Name (SPN) for Server1 and Server2.
E. Configure the delegation settings of Server1 and Server2.

Answer: BE
Explanation:
To enable impersonation to connect to the database server, the delegation settings for
constrained delegation must (computer only trust for delegation to specified services) can be
configured. Subsequently, the service principal name can be specified for the identity of the
application pool as a delegate service.

The role of the service principal name to authenticate on SQL Server, if an application opens
a connection and uses Windows authentication, passes the SQL Server Native Client to SQL

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 317
http://www.braindump2go.com
Server computer name, -Instanznamen and optionally an SPN. If the connection passes an SPN,
it is used without modification.

When the connection is no SPN, a default service principal name is created based on protocol,
server name and instance name used. In both scenarios, the Service Principal Name is sent to
the Key Distribution Center to a security token for retrieve authenticate the connection. If no
security token can be retrieved using NTLM authentication.

A Service Principal Name (SPN, Service Principal Name) is the name that uniquely identifies a
client about an instance of a service. The Kerberos authentication service can an SPN to
authenticate a service use. When a client wants to connect to a service, it locates an instance of
the service, posted an SPN for that instance, connects to the service and transfers the SPN to
authenticate to the service.

The preferred method for authenticating users at SQL Server is Windows authentication. Clients
that use Windows authentication to authenticate with NTLM or Kerberos. In an Active Directory
environment, Kerberos authentication is always performed first. The Kerberos authentication for
SQL Server 2005 clients that are using named pipes, not available.

QUESTION 343
Your network contains an Active Directory domain named contoso.com.
The domain contains a domain controller named DC4 that runs Windows Server 2012.
You create a DCCloneConfig.xml file.
You need to clone DC4.
Where should you place DCCloneConfig.xml on DC4?

A. %Systemroot%\SYSVOL
B. %Programdata%\Microsoft
C. %Systemroot%\NTDS
D. %Systemdrive%

Answer: C

QUESTION 344
Your network contains an Active Directory domain named contoso.com.
The domain contains a domain controller named DC1. On DC1, you add a new volume and you
stop the Active Directory Domain Services (AD DS) service.
You run ntdsutil.exe and you set NTDS as the active instance.
You need to move the Active Directory database to the new volume.
Which Ntdsutil context should you use?

A. Configurable Settings
B. Partition management
C. IFM
D. Files

Answer: D
Explanation:
The Ntdsutil utility is used for using the Active Directory Domain Services (AD DS) and Active
Directory Lightweight Directory Services (AD LDS).
It allows numerous tasks of maintenance. In order to Volume E both the database file and the
associated log files in the directory NTDs: to move, you can successively make the following
entries:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 318
http://www.braindump2go.com
Ntdsutil
Activate Instance NTDS
Files
Move DB To E:\NTDS
Move Logs to e:\NTDS

The Ntdsutil utility contains numerous sub-programs:

QUESTION 345
Your network contains an Active Directory domain named adatum.com.
The domain contains a domain controller named DC1.
On DC1, you create a new volume named E.
You restart DC1 in Directory Service Restore Mode.
You open ntdsutil.exe and you set NTDS as the active instance.
You need to move the Active Directory logs to E:\NTDS\.
Which Ntdsutil context should you use?

A. IFM
B. Configurable Settings
C. Partition management
D. Files

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 319
http://www.braindump2go.com
Answer: D
Explanation:
A. Aids in modifying the time to live (TTL) of dynamic data that is stored in Active Directory
Domain Services (AD DS).
At the configurable setting: prompt, type any of the parameters listed under Syntax.
B. Manages directory partitions for Active Directory Domain Services (AD DS) or Active Directory
Lightweight Directory Services (AD LDS).
C. Creates installation media for writable (full) domain controllers, read-only domain controllers
(RODCs), and instances of Active Directory Lightweight Directory Services (AD LDS).
D. ntdsutil move db to %s Moves the directory service log files to the new directory specified
by %s, and updates the registry so that, upon service restart, the directory service uses the new
location. http://technet.microsoft.com/en-us/library/cc753343(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc755229(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc730970(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc732530(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc753900(v=ws.10).aspx

QUESTION 346
The contoso.com domain contains 2 domain controllers running Server 2012, AD recycle bin is
enabled for the domain.
DC1 is configured to take AD snapshots daily, DC2 is set to take snapshots weekly.
Someone deletes a group containing 100 users, you need to recover this group.
What should you do?

A. Authoritative Restore
B. Non Authoritative Restore
C. Tombstone Reanimation
D. Modify attribute is deleted

Answer: D
Explanation:
a new or significantly improved method for recovery of deleted Active Directory objects was
introduced with Windows Server 2008 R2. If the Active Directory Recycle Bin is enabled in a
forest, all attributes for a defined period (deletedObjectLifetime, DOL) are retained when you
delete an object. Deleted Items can be restored without downtime of the domain controller and
retaining all group memberships and permissions via LDAP editor or by using PowerShell
cmdlets.
The Active Directory Recycle Bin can so far be considered a development of the tombstone
reanimation, in which only the SID of an object is restored and the missing attributes are
nachgepflegt example with the aid of an Active Directory snapshots. Deleted items are moved to
the Deleted Objects container.
The container can not be displayed with the Active Directory Users and Computers or the ADSI
Edit tool. To view the Deleted Objects container, you can use either LDP.exe or the Active
Directory Explorer from Sysinternals.
With LDP.exe, the objects can also be restored equal by the boolean value of the attribute
isDeleted for the deleted object from TRUE to FALSE is changed.

QUESTION 347
You have a RODC named Server1 running Server 2012.
You need to add a RODC Administrator.
How do you complete the task?

A. dsmgmt.exe

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 320
http://www.braindump2go.com
B. ntdsutil
C. Add user to Local Administrator Group on Server1
D. Use Security Group and modify RODC Delegated Administrator

Answer: D
Explanation:
A read-only domain controller (RODC) offers the possibility of dividing the Administrator role. This
means that each domain user or security group can be used as a local administrator of an RODC
without the user or group must be granted rights to the domain or other domain controllers.

A delegated administrator can log on to an RODC to maintenance work on the Server execute to
update z. B. to a driver. The delegated administrator is not, however, be able to log on to another
domain controller, or perform other administrative tasks in the domain. In this way, the effective
management of RODCs a branch office to a security group from branch office users, instead of
individual members of the Domain Admins group are delegated, without jeopardizing the safety of
the rest of the domain. Before you install a read-only domain controller can in the wizard for
making a account for a read-only domain controller, a user or a group Wreden defined as
delegated RODC Administartor.

To grant a user or a group after you install a read-only domain controller local administrator rights
for a read-only domain controller (RODC), the settings on the tab can Maintained by be
configured in the properties of the computer account of RODC1. can open the Utilities dsmgmt
and Ntdsutil for adding a delegated RODC administrator be used.

Microsoft recommends expressly that utilities dsmgmt and Ntdsutil not to be used for this purpose
and instead specify a group which the Administrator Role Separation can be controlled.

The background is that the user, the password have been set with the help of dsmgmt or Ntdsutil
as delegated RODC administrator can not be easily determined in retrospect.

QUESTION 348
A computer does not support PXE, what kind of image do you need to create?

A. boot
B. install
C. discovery
D. capture

Answer: C

QUESTION 349
Your network contains an Active Directory domain named contoso.com.
All domain controllers run Windows Server 2012.
The domain contains two organizational units (OUs) named OU1 and OU2 in the root of the
domain. Two Group Policy objects (GPOs) named GPO1 and GPO2 are created.
GPO1 is linked to OU1. GPO2 is linked to OU2. OU1 contains a client computer named
Computer1.
OU2 contains a user named User1.
You need to ensure that the GPOs applied to Computer1 are applied to User1 when User1 logs
on.
What should you configure?

A. Item-level targeting

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 321
http://www.braindump2go.com
B. Group Policy loopback processing mode
C. the Enforced setting
D. Block Inheritance

Answer: B
Explanation:
Due to the policy setting loopback User Group Policy in the path Computer Configuration \
Administrative Templates \ System \ Group Policy the set of GPOs applied to the computer for
each user who logs on to a computer, this setting applies. This setting is intended for computers
with a special purpose, eg. As for computers in public, in laboratories or classrooms where the
user settings must be changed depending on your computer. By default is set by the GPOs the
user, which user settings are applied. If you enable this policy setting, but the GPOs the computer
determine when the user logs, which rate is applied GPOs. If you enable this policy setting, you
can select one of the following modes from the "Mode" field:
"Replace" indicates that the conditions laid down in the Group Policy objects for the computer
user settings replace the user settings normally applied to the user.

"Merge" indicates that the conditions laid down in the Group Policy objects for the computer user
settings and the user settings normally applied are combined. If the settings conflict, putting the
user settings in Group Policy on the computer of the user override the normal settings.

If you disable this setting or do not configure determine the user's GPOs, which user settings are
applied.

QUESTION 350
From where can you enable NAT?

A. Routing and Remote Access ==> IPv4 ==> Create new Routing Protocol
B. Missing
C. Missing
D. Missing

Answer: A

QUESTION 351
Your network contains an Active Directory domain named contoso.com. All domain controllers
run Windows Server 2012. One of the domain controllers is named DC1.
The DNS zone for the contoso.com zone is Active Directory-integrated and has the default
settings. A server named Server1 is a DNS server that runs a UNIX-based operating system.
You plan to use Server1 as a secondary DNS server for the contoso.com zone.
You need to ensure that Server1 can host a secondary copy of the contoso.com zone.
What should you do?

A. From Windows PowerShell, run the Set-DnsServerForwarder cmdlet and specify the contoso.com
zone as a target.
B. From Windows PowerShell, run the Set-DnsServerSetting cmdlet and specify DC1 as a target.
C. From Windows PowerShell, run the Set-DnsServerPrimaryZone cmdlet and specify the
contoso.com zone as a target.
D. From DNS Manager, modify the Advanced settings of DC1.

Answer: C
Explanation:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 322
http://www.braindump2go.com
By default, allowed no zone transfer to other DNS servers for Active Directory-integrated zone.
The replication of zone data is in Active Directory-integrated zones solely within the framework of
the Active Directory replication.
To enable Server1 obtaining the zone data, the settings of the zone transfer for certbase.de need
to be changed. This can either be on the characteristics of the zone in DNS Manager or by using
the PowerShell cmdlet Set-DnsServerPrimaryZone done.

QUESTION 352
You are the administrator of an Active Directory Domain Services (AD DS) domain named
contoso.com. The domain has a Microsoft Windows Server 2012 R2 server named Contoso-
SR05 that hosts the File and Storage Services server role.
Contoso-SR05 hosts a shared folder named userData.
You want to receive an email alert when a multimedia file is saved to the userData folder.
Which tool should you use?

A. You should use File Management Tasks in File Server Resource Manager.
B. You should use File Screen Management in File Server Resource Manager.
C. You should use Quota Management in File Server Resource Manager.
D. You should use File Management Tasks in File Server Resource Manager.
E. You should use Storage Reports in File Server Resource Manager.

Answer: B

QUESTION 353
You have two servers, Server 1 and server 2.
You create a custom data collector set DCS1 on Server 1.
You need to export DCS1 from Server 1 to Server2.
What should you do?

A. Right click on DCS1 and click on Export list


B. Right click on DCS1 and click on Save template
C. Right click on DCS1 and click on Data Manager
D. Right click on DCS1 and click on Export manager

Answer: B
Explanation:
The function Save Template ... lets you export the definition of a data collector set in an XML file.
Subsequently, the Data Collector Set can be imported on Server2.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 323
http://www.braindump2go.com
QUESTION 354
You administrate an Active Directory domain named EnsurePass.com.
The domain has a Microsoft Windows Server 2012 R2 server named EP-SR01 that hosts the File
Server Resource Manager role service.
You are configuring quota threshold and want to receive an email alert when 80% of the quota
has been reached.
Where would you enable the email alert?

A. You should consider creating a Data Collector Set (DCS).


B. You should use Windows Resource Monitor.
C. You should use the File Server Resource Manager.
D. You should use Disk Quota Tools.
E. You should use Performance Logs and Alerts.

Answer: C
Explanation:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 324
http://www.braindump2go.com
To make use of email alerts, you need to configure the SMTP Server address details in the File
Server Resource Manager options.

QUESTION 355
Note: This Question is part of series of question that use the same or similar answer choices.
An answer choice may be correct for more than one question in the series. Each question is
independent of the other questions in the series. Information and detailed provided in a question
apply only to that question. You network contains one Active Directory domain named
contoso.com. The forest functional level is Windows Server 2012. All servers run Windows Server
2012 R2. All client computer run Windows 8.1.
The domain contains 10 domain controllers and a read-only domain controller (RODC) named
RODC01. All domain controllers and RODCs are hosted on a Hyper-V host that runs Windows
Server 2012 R2.
You need to identify which domain controllers are authorized to be cloned using virtual domain
controller cloning.
Which cmdlet should you use?

A. Get-ADGroupMember
B. Get-ADDomainControllerPasswordReplicationPolicy
C. Get-ADDomainControllerPasswordReplicationPolicyUsage
D. Get-ADDomain
E. Get-ADOptionalFeature
F. Get-ADAccountAuthorizationGroup
G. Get-ADAuthenticationPolicySlio
H. Get-ADAuthenticationPolicy

Answer: A

QUESTION 356
Note: This Question is part of series of question that use the same or similar answer choices.
An answer choice may be correct for more than one question in the series. Each question is
independent of the other questions in the series. Information and detailed provided in a question
apply only to that question. You network contains one Active Directory domain named
contoso.com. The forest functional level is Windows Server 2012.
All servers run Windows Server 2012 R2. All client computer run Windows 8.1.
The domain contains 10 domain controllers and a read-only domain controller (RODC) named
RODC01.
All domain controllers and RODCs are hosted on a Hyper-V host that runs Windows Server 2012
R2. You need to identify which security principals are authorized to have their password cached
on RODC1? Which cmdlet should you use?

A. Get-ADGroupMember
B. Get-ADDomainControllerPasswordReplicationPolicy
C. Get-ADDomainControllerPasswordReplicationPolicyUsage
D. Get-ADDomain
E. Get-ADOptionalFeature
F. Get-ADAccountAuthorizationGroup
G. Get-ADAuthenticationPolicySlio
H. Get-ADAuthenticationPolicy

Answer: B

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 325
http://www.braindump2go.com
QUESTION 357
Note: This Question is part of series of question that use the same or similar answer choices.
An answer choice may be correct for more than one question in the series. Each question is
independent of the other questions in the series. Information and detailed provided in a question
apply only to that question. You network contains one Active Directory domain named
contoso.com. The forest functional level is Windows Server 2012.
All servers run Windows Server 2012 R2. All client computer run Windows 8.1.
The domain contains 10 domain controllers and a read-only domain controller (RODC) named
RODC01. All domain controllers and RODCs are hosted on a Hyper-V host that runs Windows
Server 2012 R2. Determine what domain controller needs to be online to promote a RODC.
Which cmdlet should you use?

A. Get-ADGroupMember
B. Get-ADDomainControllerPasswordReplicationPolicy
C. Get-ADDomainControllerPasswordReplicationPolicyUsage
D. Get-ADDomain
E. Get-ADOptionalFeature
F. Get-ADAccountAuthorizationGroup
G. Get-ADAuthenticationPolicySlio
H. Get-ADAuthenticationPolicy

Answer: D

QUESTION 358
Note: This Question is part of series of question that use the same or similar answer choices.
An answer choice may be correct for more than one question in the series. Each question is
independent of the other questions in the series. Information and detailed provided in a question
apply only to that question. You network contains one Active Directory domain named
contoso.com. The forest functional level is Windows Server 2012.
All servers run Windows Server 2012 R2. All client computer run Windows 8.1. The domain
contains 10 domain controllers and a read-only domain controller (RODC) named RODC01.
All domain controllers and RODCs are hosted on a Hyper-V host that runs Windows Server 2012
R2. What accounts are allowed to replicate their password with the RODC? Which cmdlet should
you use?

A. Get-ADGroupMember
B. Get-ADDomainControllerPasswordReplicationPolicy
C. Get-ADDomainControllerPasswordReplicationPolicyUsage
D. Get-ADDomain
E. Get-ADOptionalFeature
F. Get-ADAccountAuthorizationGroup
G. Get-ADAuthenticationPolicySlio
H. Get-ADAuthenticationPolicy

Answer: B

QUESTION 359
Note: This Question is part of series of question that use the same or similar answer choices.
An answer choice may be correct for more than one question in the series. Each question is
independent of the other questions in the series. Information and detailed provided in a question
apply only to that question. You network contains one Active Directory domain named

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 326
http://www.braindump2go.com
contoso.com. The forest functional level is Windows Server 2012. All servers run Windows Server
2012 R2. All client computer run Windows 8.1.
The domain contains 10 domain controllers and a read-only domain controller (RODC) named
RODC01. All domain controllers and RODCs are hosted on a Hyper-V host that runs Windows
Server 2012 R2. You need to identify whose passwords can be stored, view stored passwords.
Which cmdlet should you use?

A. Get-ADGroupMember
B. Get-ADDomainControllerPasswordReplicationPolicy
C. Get-ADDomainControllerPasswordReplicationPolicyUsage
D. Get-ADDomain
E. Get-ADOptionalFeature
F. Get-ADAccountAuthorizationGroup
G. Get-ADAuthenticationPolicySlio
H. Get-ADAuthenticationPolicy

Answer: C

QUESTION 360
You have a DNS server that runs Windows Server 2012 R2.
The server hosts the zone for contoso.com and is accessible from the internet.
You need to create a DNS record for the Sender Policy Framework (SPF) to list that are
authorized ti send email for contoso.com
Which type of record should you create?

A. Name Server (NS)


B. Mail.exchanger (MX)
C. Resource record signature (RRSIG)
D. Text (TXT)

Answer: D
Explanation:
http://mediatemple.net/community/products/dv/204404314/how-can-i-create-an-spf-record-for-
my-domain
http://en.wikipedia.org/wiki/Sender_Policy_Framework

QUESTION 361
You have three Windows Server Update Services (WSUS) Servers named Server01 Server02
and Server03.
Server01 synchronizes form Microsoft Update.
You need to ensure that only Server02 and Server03 can Synchronize updates from Server01.
What should you do?

A. Modify %ProgramFiles%\Update
Services\WebServices\Serversyncgwevservice\SimpleAuth.asmx.
B. From the Update Services console, modify the Update Source and Proxy Server options.
C. From the Update Services console, modify the Automatic Approvals Options.
D. Modify %ProgramFiles%\Update Services\WebServices\Serversyncgwevservice\Web.config.

Answer: D
Explanation:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 327
http://www.braindump2go.com
"The question is asking how to harden WSUS, i.e. limit the servers that can get updates from
Server01 to only Server02 and Server03. This is done by modifying the web.config. "
https://technet.microsoft.com/en-us/library/Cc708550(v=WS.10).aspx

QUESTION 362
Your corporate network includes an Active Directory Domain Services (AD DS) domain
certbase.de named.
The domain contains a Windows Server 2012 R2 computer named Server3. Server3 performs
the role Windows Deployment Services.
They have a virtual Windows Server 2012 R2 creates computer named VM1.
On VM1 several industry-specific applications are installed.
To use the Windows Deployment Services to create an image of VM1.
What image type you will add Server3?

A. Capture
B. Install
C. Discovery
D. Boot

Answer: A
Explanation:
The main image types used in Windows Deployment Services are installation and boot images.

Install images
Install images are the operating system images that you deploy to the client computer. You can
use the default install image (install.wim) located on the DVD of Windows Vista or Windows
Server 2008 in the \ Sources directory.
You can also create custom install images from reference computers and deploy them to client
computers. First, you boot a computer (which has been prepared with Sysprep) into a capture
image. Then the capture image an install image of the computer is created.

Boot images
Boot images are the images with which you start a client computer before installing the operating
system image. The boot image presents a boot menu that contains the images that users can
install on their computers.
These images contain Windows PE 2.0 and the Windows Deployment Services client. You can
use the default boot image included in the \ Sources directory of the Windows Server 2008
installation media (boot.wim).
This file must be only in advanced scenarios (for example, if you must add the image driver) to be
changed. Important Only use the Boot.wim file on the Windows Server 2008 DVD.
If you boot.wim file to use on the Windows Vista DVD, you can not use all the functionality of
Windows Deployment Services (for example, multicasting). There are also two image types that
you can create from boot images:. Capture images and discover images.

Capture Images
Capture Images are boot images that allow the utility starts to record the Windows Deployment
Services in place of the setup. If a reference computer (which has been prepared with Sysprep)
start with a capture image, an install image of the reference computer is created and saved as a
WIM file with an assistant. You can also create a medium (eg, CD, DVD or USB drive) that
contains a capture image, and then boot a computer to the media. After you create the install
image, you can use the image for PXE boot deployment Add the server. These images provide
an alternative to command-line tool ImageX.exe.

Discover images

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 328
http://www.braindump2go.com
Discover images search images are boot images, which is enforced by that Setup.exe in
Windows Deployment Services mode is started. Subsequently, a Windows Deployment Services
server will be searched.
These images are typically used to deploy images to computers that are not configured for PXE
or that are in networks where PXE is not allowed. If you create a discover image and apply it to
the medium (eg, CD, DVD or Save USB drive), you can then boot a computer to the media.

The discover image on the media of the Windows Deployment Services server will be searched.
The installation image is provided by the server for the computer. You can configure discover
images so that a specific Windows Deployment Services server is used as a target. This means
that you can create a discover image when a plurality of servers in your environment for each
server and then can name each based on the name of the server.

QUESTION 363
Your corporate network includes an Active Directory Domain Services (AD DS) domain
Lead2pass.com named.
The domain contains two Windows Server Update Services (WSUS) server with the name and
WSUS1 WSUS2.
WSUS2 is a replica of WSUS1.
You must configure the Windows Server Update Services so that WSUS2 report sends data to
WSUS1.
What you configure?

A. Update Reports
B. Synchronization Options
C. Computer Groups
D. Reporting rollup

Answer: D
Explanation:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 329
http://www.braindump2go.com
QUESTION 364
Your network contains an Active Directory domain named contoso.com.
The domain contains a file server named Server1.
On Server1 the operating system Windows Server 2012 R2 is installed.
Check the RSoP of Server1.
The effective settings are shown in the picture (click on the button drawing).
You must ensure that an entry is recorded in the event log when it is on Server1 created or
deleted a local user account.
How do you proceed?

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 330
http://www.braindump2go.com
You need to ensure that an entry is added to the event log whenever a local user account is
created or deleted on Server1.
What should you do?

A. Change the settings of the audit policy in Group Policy Object (GPO) ServersGPO
B. On Server1, attach a task to the security log.
C. Add the System log on Server1 a task.
D. Change the settings of the Advanced Audit Policy Configuration in Group Policy Object (GPO)
ServersGPO

Answer: A
Explanation:
From the figure it is evident that the policy Audit account management is enabled only for failed
attempts. Must be monitored in order to monitor the creation and deletion of accounts also
successful attempts of account management. Audit account management is determined whether
all Account Management events are monitored on a computer with this security setting.
The account management events include:

A user account or user group is created, changed or deleted.


A user account is renamed, disabled or enabled.
A password is set or changed.

If you define this policy setting, you can specify whether success or failure can be monitored and
specify that the event type is not monitored. Success audits generate an audit entry is generated
when any account management event succeeds. Failure audits generate an audit entry is
generated when any account management event fails. If you "No monitoring" want to set this

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 331
http://www.braindump2go.com
value to, activate the dialog "Properties" for this policy setting check box "Define these policy
settings" and uncheck the checkbox "success" and "failure".

When you use Advanced Audit Policy Configuration settings, you need to confirm that these
settings are not overwritten by basic audit policy settings. The following procedure shows how to
prevent conflicts by blocking the application of any basic audit policy settings.

Enabling Advanced Audit Policy Configuration

Basic and advanced audit policy configurations should not be mixed. As such, it's best practice to
enable Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit
policy category settings in Group Policy to make sure that basic auditing is disabled. The setting
can be found under Computer Configuration\Policies\Security Settings\Local Policies\Security
Options, and sets the SCENoApplyLegacyAuditPolicy registry key to prevent basic auditing being
applied using Group Policy and the Local Security Policy MMC snap-in.

In Windows 7 and Windows Server 2008 R2, the number of audit settings for which success and
failure can be tracked has increased to 53. Previously, there were nine basic auditing settings
under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit
Policy. These 53 new settings allow you to select only the behaviors that you want to monitor and
exclude audit results for behaviors that are of little or no concern to you, or behaviors that create
an excessive number of log entries. In addition, because Windows 7 and Windows Server 2008
R2 security audit policy can be applied by using domain Group Policy, audit policy settings can be
modified, tested, and deployed to selected users and groups with relative simplicity.

Audit Policy settings

Any changes to user account and resource permissions.


Any failed attempts for user logon.
Any failed attempts for resource access.
Any modification to the system files.

Advanced Audit Configuration SettingsAudit compliance with important business-related and


security-related rules by tracking precisely defined activities, such as:
A group administrator has modified settings or data on servers that contain finance information.
An employee within a defined group has accessed an important file. The correct system access
control list (SACL) is applied to every file and folder or registry key on a computer or file share as
a verifiable safeguard against undetected access.

In Servers GPO, modify the Audit Policy settings - enabling audit account management setting
will generate events about account creation, deletion and so on.

Advanced Audit Configuration SettingsAdvanced Audit Configuration Settings ->Audit


Policy -> Account Management -> Audit User Account Management

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 332
http://www.braindump2go.com
In Servers GPO, modify the Audit Policy settings - enabling audit account management setting
will generate events about account creation, deletion and so on.

http://blogs.technet.com/b/abizerh/archive/2010/05/27/tracing-down-user-and-computer-account-
deletion-in- active-directory.aspx
http://technet.microsoft.com/en-us/library/dd772623%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/dd408940%28v=ws.10%29.aspx#BKMK_step2
http://technet.microsoft.com/en-us/library/jj852202(v=ws.10).aspx http://www.petri.co.il/enable-
advanced-audit-policy-configuration-windows-server.htm

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 333
http://www.braindump2go.com
QUESTION 365
Your corporate network includes an Active Directory Domain Services (AD DS) domain
contoso.local named.
On all servers Windows Server 2012 R2 is installed.
You want a read-only domain controller (RODC) to remove from the domain.
Which rule must be observed with respect to the removal RODC?

A. All read-only domain controllers must be removed from the domain before the last writable
domain controller can be downgraded.
B. All writable domain controllers must be downgraded before a read-only domain controller can be
removed from the domain.
C. The overall structure may contain only read-only domain controller.
D. There are no rules that must be followed when removing read-only domain controller.

Answer: A
Explanation:
A domain can not only read-only domain controller (RODC) included. A read-only domain
controller (RODC) provide, you must deploy at least one writable domain controller for the same
domain.
This serves as a replication partner for the RODC. Conversely, you must remove all read-only
domain controller, bervor you demote the last writable domain controller.

QUESTION 366
On a server with the operating system Windows Server 2012 R2, you can uninstall the graphical
shell for servers and get a server with minimal server user interface.
The user interface is similar to a minimal server installation Server with complete graphical user
interface.
Some features are missing, however.
Which of the following features missing?

A. Microsoft Management Console (MMC)


B. Windows Explorer
C. Subset of the Control Panel
D. Server Manager

Answer: B
Explanation:
In Windows Ser1ver 2012, you can remove the server graphic shell, resulting in the "Minimal
Server Interface". This is similar to a server installation with a graphical user interface, but
Internet Explorer 10, the Windows Explorer, the desktop and the Start screen are not installed.
The Microsoft Management Console (MMC), Server Manager, and a subset of the control panel
are still available. If you start with a server installation with a graphical user interface, you can
switch at any time using the Server Manager to minimum server user.

QUESTION 367
Which of the following features are available when Windows Server 2012 R2 is installed, although
with complete graphical user interface but without the Desktop Experience feature presentation?
(Select all that apply.)

A. Modern UI start screen


B. Integrated help system

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 334
http://www.braindump2go.com
C. Windows Search
D. Windows Media Player

Answer: AB
Explanation:
Using the Desktop Experience feature You can install a variety of Windows 8.1 features on a
server running Windows Server 2012 Design. Thought this possibility is especially useful for
providing remote desktop workstations. The Feature Desktop Experience includes uner including
the Windows Media Player and Windows Search.

QUESTION 368
You administer a Windows Server 2012 R2 computer that is named Server1.
You want to use the Task Manager to end a running application.
Which register or which menu of Task Manager you use?

A. power
B. User
C. Options
D. Details

Answer: D
Explanation:
Running applications in Task Manager on the register details are terminated:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 335
http://www.braindump2go.com
QUESTION 369
Your corporate network includes an Active Directory Domain Services (AD DS) domain
contoso.local named.
Make the Windows Server Update Services (WSUS) on a server named Server1 ready.
You must prevent the Windows Server Update Services (WSUS) are automatically updated on
Server1.
What step to run using the console Update Services?

A. Use the Products and Classifications options, configure the Products settings.
B. Use the Automatic Approvals options and change the settings on the tab Advanced.
C. Use the Option Products and Classifications and change the settings in the registry
classifications.
D. Use the Automatic Approvals options and change the settings of the default rule for automatic
approval.

Answer: B
Explanation:
In the advanced settings option rubberstamp approvals can be determined whether the updates
that are intended for WSUS itself, are automatically approved. By default, this option is enabled.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 336
http://www.braindump2go.com
QUESTION 370
Your corporate network includes an Active Directory Domain Services (AD DS) domain
certbase.de named.
On all server computers Windows Server 2012 R2 is installed. All client computers Windows 8 is
installed.
The domain comprises no certification authority (CA).
You must add in the domain a data recovery agent for the Encrypting File System (EFS). Which
two steps you will perform? (Each correct answer presents part of the solution. Choose two.)

A. Run on the Windows PowerShell cmdlet Get-Certificate from.


B. Open the Default Domain Controllers Policy and perform the action data recovery agents create
from.
C. Open the Default Domain Policy and perform the action data recovery agents to add from.
D. Run from the command prompt, the command-line utility Cipher.exe from
E. Open the Default Domain Policy, and perform the action data recovery agents create from.
F. Open the Default Domain Controllers Policy and perform the action data recovery agents to add
from.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 337
http://www.braindump2go.com
Answer: CD
Explanation:
With the call Cipher.exe/R:DRA we can create a certificate for EFS recovery. The command call
creates a PFX file that contains the certificate and private key and a .CER file that contains only
the certificate.
Then, the contents of the .cer file to the EFS recovery policy can be added to create the recovery
key for users , The PFX file can be imported to restore individual files.

QUESTION 371
Your corporate network includes an Active Directory Domain Services (AD DS) domain
certbase.de named.
On all server computers Windows Server 2012 R2 is installed. All client computers Windows 8 is
running.
You must control access to removable storage devices.
Which category you will configure? (To be configured dialog box shown in the picture. Click the
Drawing button.)

A. Account Application
B. Account Management
C. DS Access
D. Object Access
E. Authorizations
F. System

Answer: D
Explanation:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 338
http://www.braindump2go.com
What events in detail are affected by the audit policies, can be determined easily by a look at the
subcategories of the expanded audit policy:

QUESTION 372
Your corporate network includes an Active Directory Domain Services (AD DS) domain named
contoso.com .
The domain contains a Windows Server 2012 R2 computer that is named Server1. On Server1
the role Windows Server Update Services is installed.
You have created a new Group Policy object (GPO).
To configure the Windows Update settings of the client computer so that Windows updates are
every Wednesday installed at 13:00 clock.
Which policy will configure? (To be configured dialog box shown in the picture. Click the Drawing
button.)

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 339
http://www.braindump2go.com
A. Configure Automatic Updates
B. Enable Client-side target allocation
C. Specify intranet Microsoft update service
D. Not allow administrators to receive update notifications
E. Enable Windows Update Power Management to reactivate the system to install scheduled
updates automatically
F. Create new schedule of planned installations

Answer: A
Explanation:
The policy Configure Automatic Updates determines whether the computer security updates
and other important downloads obtained via the Windows Automatic Updates service. In addition,
you can specify one of the following options and a timetable for the installation:

2 = notify before downloading any updates and notify again before installation. If Windows
detects updates that can be applied to the computer, an icon in the status area with a message
that informs you that updates are available for download. Clicking the icon or message, you can
select to download updates. The selected updates are then downloaded from Windows in the
background. After downloading is complete, an icon in the status area again displayed that
informs you that the updates can be installed. When you click the icon or message, you can
select the updates that you want to install.

Automatically download 3 = (default) updates and notify you of updates installable Windows
checks for updates that can be applied to the computer, and loads these automatically in the
background without (the user is not notified during the process or disturbed). After downloading
has been completed, the status area, the icon is displayed, informing you that the updates can be
installed. When you click the icon or message, you can select the updates that you want to install.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 340
http://www.braindump2go.com
Automatically download 4 = Updates and schedule that I specify install Specify the schedule
using the options in the Group Policy setting. By default installations are planned daily for 3 clock
in the morning, if no timetable is given. The completion of the update installation, if a restart is
required, Windows will automatically restart the computer. (If a user is logged on to the computer
when Windows is restarted, the user is notified and can delay the restart.)

5 = places allow administrators to select the configuration mode for the update installation
through Automatic Updates This option can be enabled with local administrators, on the Control
Panel icon "Automatic Updates" option to select a configuration. You can select a date for a
planned installation example itself. Local administrators will not be allowed to disable the
configuration for "Automatic Updates".

QUESTION 373
Your corporate network includes an Active Directory Domain Services (AD DS) domain
certbase.de named.
On all server computers Windows Server 2012 R2 is installed.
The domain contains an organizational unit (OU) named CBDateiserver.
The OU contains the computer accounts of all file servers in the domain.
You need to monitor successful user access to file sharing, file server.
Which audit policy, you will configure?
(To be configured dialog box shown in the picture. Click the Drawing button.)

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 341
http://www.braindump2go.com
A. Audit logon events
B. Audit account logon events
C. Audit object access
D. Audit privilege use
E. Audit privilege use
F. Audit directory service access

Answer: C
Explanation:
With the security setting Audit object access is determined whether user access be monitored
for non-Active Directory objects. Monitoring will be generated only for objects that is specified for
its own SACL (System Access Control List, ACL on the system), and only then, if the requested
access type (for example, write, read or modify) and the account from which the request
originates, correspond to the settings in the SACL.

The administrator can specify whether only successful or failed only or both successful and
unsuccessful operations, or basically no operations are monitored (ie neither successful nor
unsuccessful operations).

If the monitoring of successful operations enabled is an audit entry for each successful access to
a non-Active Directory object that has a matching SACL is indicated, is generated. If the
monitoring of failed transactions is enabled, each time failed access to a non-Active Directory
object for which a matching SACL specified, an audit entry is generated.

Note that you can set a SACL on an Active Directory object on the "Security" tab in the
"Properties" of the object. Default:. No supervision order to gain more control over the audit
policy, you can use the settings in the node "Advanced Audit Policy Configuration".

QUESTION 374
Your corporate network includes an Active Directory Domain Services (AD DS) domain named

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 342
http://www.braindump2go.com
contoso.com .
The domain contains a Windows Server 2012 R2 computer that is named Server1.
On Server1 the role Windows Server Update Services is installed.
You want to use a Group Policy object (GPO) to assign members of a computer group.
Which settings you will configure?

A. Configure Automatic Updates


B. Specify intranet Microsoft update service
C. Enable Software Notifications
D. Enable recommended updates via Automatic Updates
E. Enable Client-side targeting
F. Allow signed updates from an intranet Microsoft update service location

Answer: E
Explanation:
Computer can either manually or using the policy setting Client-side target association enable to
computer groups of the Windows Server Update Services can be added.

The Directive Enable Client-side target mapping indicates the target group name or the name
that will be used to receive updates from Microsoft Update Service on the intranet .

If the status to "Enabled" is set, the specified target group information to the Microsoft Update
service will be sent on the intranet. This uses this information to determine which updates will be
made available on the computer.

If the Microsoft update service location on the intranet supports multiple audiences, multiple,
semicolon-separated group names can be specified by this Directive. Otherwise, a single group
must be specified.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 343
http://www.braindump2go.com
If the status is set to "Disabled" or "Not Configured", no target group information to the Microsoft
Update service will be sent on the intranet.

Note:

This policy applies only when the Microsoft Update service on the intranet, which this Computer
use is configured to support client-side target allocation.

This policy has no effect when the policy is "intranet specify for Microsoft update service location"
is disabled or not configured.

This policy is not supported on Windows RT. Enabling this policy on PCs running Windows RT
runs has no effect.

QUESTION 375
Your corporate network includes an Active Directory Domain Services (AD DS) domain
certbase.de named.
On all domain controllers running Windows Server 2012 R2 is installed.
A support technician installed at an outdoor location Windows Server 2012 R2 on a server named
DC10.
DC10 is currently a member of a workgroup.
You plan DC10 to a read-only domain controller (RODC) to change or "elevate".
You must ensure that a user can promoted to a read-only domain controller with the username
contoso \Tom DC10.
Your solution must the permissions that are granted to Tom, minimize.
How do you proceed?

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 344
http://www.braindump2go.com
A. Use the command-line tool Ntdsutil.exe and run the command Local Roles from.
B. Use Active Directory Users and Computers and create an account for a read-only domain
controller.
C. Use the console Active Directory Users and Computers, and then run the wizard for assigning
object management for container Domain Controllers from.
D. Take DC10 to the domain. And you change the properties of the computer account of DC10.

Answer: B
Explanation:
Use the context menu of the container domain controller you can access an assistant for a
preliminary deployment of an account for a read-only domain controller. The wizard asks the
name of the RODC, the destination site and the user account of a person from whom the
permissions are delegated to install the read-only domain controller. The figure shows the
relevant page of the wizard:

QUESTION 376
Your corporate network includes an Active Directory Domain Services (AD DS) domain
certbase.de named.
All servers running Windows Server 2012 R2 is installed.
The domain contains a server named Server1. On Server1 the role Windows Deployment
Services Windows Deployment Services (WDS) installed.
You have received a list of MAC addresses newly purchased client computers.
You want the command-line utility wdsutil.exe use to provide in advance the new client computers
in Active Directory.
What parameters do you use?

A. /get-AutoAddDevices
B. /get-Device
C. /add-Device
D. /enable

Answer: C
Explanation:
The /add-Device parameter allows the prerelease deployment of computer accounts in Active
Directory for the installation of the Windows Deployment Services. The parameter allows you to
configure all options that are possible when using the wizard, the console Windows Deployment
Services.

The following call adds the Windows Deployment Services is a prerelease deployment for the
computer Desktop1 with the MAC address 00-B0-56-88-2F -DC without giving added another
option:

WDSUTIL /Add-Device /Device:Desktop1 /ID:00-B0-56-88-2F-DC

QUESTION 377
Your corporate network includes an Active Directory Domain Services (AD DS) domain
certbase.de named.
All servers running Windows Server 2012 R2 is installed.
The domain contains a server named Server1. On Server1 the role Windows Deployment
Services Windows Deployment Services (WDS) installed.
You want the command-line utility wdsutil.exe use to retrieve information about the Active
Directory provided in advance computer Desktop1.
What parameters do you use?

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 345
http://www.braindump2go.com
A. /get-AutoAddDevices
B. /get-Device
C. /add-Device
D. /enable

Answer: B
Explanation:
The / Get-Device parameters enables the retrieval of information on one or more devices
prestaged. The following call retrieves information for a preliminary deployment of the computer
Desktop2:

WDSUTIL / Get-Device / Device: Desktop2

QUESTION 378
Your corporate network includes an Active Directory Domain Services (AD DS) domain
certbase.de named.
The domain contains a domain controller that is named DC-1.
You run the command ping dc-1.contoso.local and get the command output shown in the picture
(click on the button drawing).
You must ensure that DC-1 responds to a ping. What usually open in the Windows Firewall on
DC-1? (This to configure dialog box is shown in the picture. Click the Drawing button.)

A. Active Directory Domain Controller - Echo Request (ICMPv4-In)


B. Active Directory Domain Controller - Echo Request (ICMPv6-In)
C. Active Directory Domain Controller - NetBIOS name resolution (UDP-In)
D. Core network - Destination Unreachable (ICMPv6-In)
E. Core network - Destination Unreachable, fragmentation required (ICMPv4-In)
F. Online Responder Service (DCOM-In)

Answer: A
Explanation:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 346
http://www.braindump2go.com
The inbound rule "Active Directory Domain Controller - Echo Request (ICMPv4-In)" determines
whether incoming ping requests to allow or block.

QUESTION 379
Your company uses an Active Directory Domain Services (AD DS) domain certbase.de named.
The domain contains a server named Server1. On Server1 Windows Server 2012 R2 Standard is
installed on a Server Core installation.
You need to ensure that Server1 on Windows Server 2012 R2 Datacenter is run in a Server Core
installation.
You want to reach your destination with minimal administrative effort.
What do you do?

A. Perform a clean installation of Windows Server 2012 R2 on Server1.


B. Update the existing Windows Server 2012 R2 installation.
C. Use DISM and perform online maintenance.
D. Use DISM and perform an offline maintenance.

Answer: C
Explanation:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 347
http://www.braindump2go.com
This command-line tool DISM.exe (Deployment Image Servicing and Management Tool) was
introduced with Windows Server 2008 R2. In addition to numerous other ways can with DISM.exe
also an in-place upgrade of Windows Server 2012 R2 Standard Windows Server performed 2012
R2 Datacenter be. The following command calls can be used here:

DISM / online / Get-Current Edition provides the Windows Edition currently used
DISM / online / Get-TargetEditions provides the possible upgrade paths
DISM / online / Set-Edition [ID Edition] / ProductKey: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
performs direct update by the specified edition.

QUESTION 380
You are working as a server administrator for the company CertBase.
To install Windows Server 2012 R2 Server Core on a new server computer that is named
Server1.
Once you decide to install the graphical user interface (GUI) on Server1.
Which tool will you use?

A. PowerShell cmdlet Add-Windows Package


B. PowerShell Cmdlet Add-WindowsFeature
C. PowerShell Cmdlet Install-Module
D. PowerShell Cmdlet Install-RoleService

Answer: B
Explanation:
Among the new features of Windows Server 2012 and Windows Server 2012 R2 include the
ability to install them separately or can remove the GUI after the initial installation. In the blog you
can find more information on the topic:

QUESTION 381
You work as an administrator for the company Contoso.
You administer a Windows Server 2012 R2 computer that is named Server1.
You want to create an image of Server1.
To keep the size of the image as small as possible, you want to remove the source files of all
server roles that are not installed on Server1.
Which tool you are use?

A. Ocsetup.exe
B. ServerManagerCMD.exe
C. ImageX.exe
D. Dism.exe

Answer: D
Explanation:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 348
http://www.braindump2go.com
In order to limit the attack surface of a server to a minimum or to reduce the installation files for a
scheduled imaging, you can completely remove the program files of roles and features that you
are not using from the hard disk.

The cmdlet Uninstall Windows feature has for this purpose over the -Remove parameter.
Alternatively, the command line program Dism.exe with the /Disable-Feature can be used.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 349
http://www.braindump2go.com
Dism.exe also has the new parameter /Cleanup-Image, which it experienced allows users the
size of the directory WinSxS by removing unneeded components to reduce:

QUESTION 382
Your network includes five servers running the operating system Windows Server 2012 R2.
In the five servers, the Failover Clustering feature is installed.
To create a new cluster with the name Cluster1.
The configuration of the cluster is shown in the picture (click on the button drawing).
Site B is a site for disaster recovery.
Server1, Server2 and Server3 are configured as the preferred owner of Cluster1.
The dynamic quorum management is disabled.
You are planning a hardware maintenance for Server3.
You must make sure that the cluster resources remain available to Site A if the WAN connection
fails while you are performing maintenance on Server3.
How do you proceed?

A. Create in StandortA a witness file share.


B. Remove Server3 the nodes vote.
C. Remove Server4 and Server5 the nodes vote.
D. Enable the dynamic quorum administration.

Answer: C
Explanation:
The quorum configuration in a failover cluster, the number of failures is determined that can be
tolerated by the cluster. If another failure occurs, the cluster must stop running. The relevant in
this context are failures or node failures - in some cases - failure of a witness disk (of a copy of
the cluster configuration contains) or a witness file share.
It is essential that the cluster is no longer running, enter if too many failures, or if a problem with
the communication between the cluster nodes is present.
In Windows Server 2012 and Windows Server 2012 R2, you can a node on the extended quorum
settings the "right to vote "escape and manually influence the determination of the majorities in
special situations.
https://technet.microsoft.com/en-us/library/jj612870.aspx

QUESTION 383
You are working as a server administrator for the company contoso.local.
They serve 30 servers on which the operating system is Windows Server 2012 R2 installed.
All servers are backed up daily by Windows Azure Online Backup.
You must perform on all servers an immediate backup in Windows Azure Online Backup.
What PowerShell cmdlets are on each server Run?

A. Start OBRegistration | Start OBBackup


B. Get-OBPolicy | Start OBBackup

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 350
http://www.braindump2go.com
C. Get-WBBackupTarget | Start WBBackup
D. Get-WBPolicy | Start WBBackup
Correct

Answer:
Explanation:
The cmdlet Start-OBBackup starts a one-time backup based on the direction indicated by the -
Policy parameter settings.
The following example retrieves the backup settings and transfers them to the cmdlet Start-
OBBackup:
Get-OBPolicy | Start OBBackup
Gives the following example the Directive explicitly named at:
Start-OBBackup -Name myPolicy

QUESTION 384
You are working as a server administrator for the company contoso.
They serve 20 servers on which the operating system is Windows Server 2012 R2 installed.
You must create a Windows PowerShell script that each server is registered in Windows Azure
Online Backup.
In addition, the script must specify the encryption passphrase.
Which two PowerShell cmdlets, you will include in your script? (Each correct answer presents
part of the solution. Choose two.)

A. New-OBPolicy
B. New-OBRetentionPolicy
C. Add-OBFileSpec
D. Start-OBRegistration
E. Set-OBMachineSetting

Answer: DE
Explanation:
When you register a server with Windows Azure Online Backup, creates a space allocation for
the server in the cloud service, and the server is associated with the subscription. Each server
whose elements you want to back up must be registered with the service, so that online backups
can be performed. The initial configuration of Windows Azure Online Backup Agent is done by a
server using the Windows Azure Online Backup Agent snap-in or Windows register PowerShell
cmdlets for Windows Azure Online Backup Online Portal. Before registering a server for use with
Windows Azure Online Backup, you must run the process described under Log for Windows
Azure Online Backup and install Windows Azure Online Backup Agent.

You can register in 2012 every server running Windows Server 2012 and Windows Server R2,
you want to protect. Prerequisite to perform this operation is a member of the local Administrators
group or equivalent membership. The following code example demonstrates that you can register
a server with Windows Azure Online Backup with Windows PowerShell after you have defined
variables for providing the credentials. If no credentials are specified, you are prompted by the
Registry cmdlet prior to registration, enter the account credentials for the user ID. However, they
are not prompted for the additional server properties that you have configured using the wizard
for registering servers. You can copy the sample code and paste it into a Windows
PowerShell script.

$pwd = ConvertTo-SecureString -String -AsPlainText –Force


$cred = New-Object –TypeName System.Management.Automation.PsCredential –ArgumentList ,
$pwd
Start-OBRegistration -Credential $cred

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 351
http://www.braindump2go.com
If the server is registered, you must specify the server properties with the set-OBMachineSetting
cmdlet. In the following examples show how the various settings can be specified:

Specifying the encryption passphrase

$pass = ConvertTo-SecureString -String -AsPlainText –Force


Set-OBMachineSetting -EncryptionPassphrase $pass

Configuring proxy settings

$spwd = ConvertTo-SecureString -String -AsplainText –Force


Set-OBMachineSetting -ProxyServer proxycontoso.com -ProxyPort -ProxyUsername
Domäne\Benutzername -ProxyPassword $spwd

Configuring throttling settings for bandwidth

$mon = [System.DayOfWeek]::Monday
$tue = [System.DayOfWeek]::Tuesday
Set-OBMachineSetting -WorkDay "Mo", "Tu" -StartWorkHour "9:00:00" -EndWorkHour "18:00:00"
-WorkHourBandwidth (512*1024) -NonWorkHourBandwidth (2048*1024)

If a server does not throttling settings to be used for more bandwidth, use the following command:

Set-OBMachineSetting -NoThrottle

QUESTION 385
Your company uses an Active Directory Domain Services (AD DS) domain named contos.local.
On all servers in the network, the operating system is Windows Server 2012 R2 installed.
The domain contains a file server named Server1. On Server1 role service Resource Manager
File Server is installed.
The computer account of Server1 is in an organizational unit (OU) named OU1.
You have a Group Policy object (GPO) created with the name GPO1 and linked it with OU1.
The relevant settings GPO1 are shown in the picture (click on the button drawing).
Server1 contains a folder named Data1. The folder is shared under the name documents1 the
network. They are trying to "access denied" support according to Configure Server1.
However, you can change the settings for the support for "Access Denied" in the Resource
Manager file server is not configured.
You must make sure that you "access denied" the settings for the support according to manually
configure file servers on Server1 in Resource Manager.
How do you proceed?

A. Enable the policy setting in GPO1 message for error type "Access Denied" adapt.
B. Activate in GPO1 the policy setting support for "Access Denied" Enable Client for all file types.
C. Configure the policy setting "Access Denied" message for error type adapt in GPO1 with Not
Configured.
D. Disable GPO1 in the policy setting support for "Access Denied" Enable Client for all file types.

Answer: C

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 352
http://www.braindump2go.com
Explanation:
policy settings, see >> Computer Configuration \ Policies \ Administrative Templates \
System \ Access-denied-Assistance
message for error type "Access Denied" Customize With this Directive, the message indicates
that users see when accessing a file or folder has been denied.

You can download the message of type "Access Denied" supplemented by additional text and
links. Moreover, you can offer users the ability to send an email to request access to the file or
folder, or the access is denied for.

If you enable this policy setting, users will receive a custom message type "Access denied" from
the file servers on which this policy setting is enabled.

If you disable this policy setting, users with a default message type "Access Denied" is displayed,
which provides, irrespective of the file server configuration none of the controlled by this policy
setting functions.

If this do not configure policy setting, users will be a default message "Access Denied" type
appears, unless the file server was configured to the user-defined message is displayed.

By default, users will get the default message "Access Denied" type displayed. Support "Access
Denied" by Enable Client for all file types, this policy setting should be set to Windows clients to
the support for "Access Denied" to activate for all file types.

QUESTION 386
You are working as a network administrator for the company contoso.
Your network includes a Windows Server 2012 R2 computer that is named Server1.
To install the role file / storage services on Server1.
You use the Windows Explorer and open the properties of a folder named documents1.
They note that the register classification is missing.
You must ensure that you can use Windows Explorer to assign the folder manually documents1
classifications.
How do you proceed?

A. Configure the Folder Options and uncheck the option (Recommended) Sharing Wizard.
B. Install the role service Resource Manager file server.
C. Configure the Folder Options and uncheck Hide protected operating system files
(Recommended).

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 353
http://www.braindump2go.com
D. Install the Role Management Tool tools for sharing and Memory management.

Answer: B
Explanation:
The Resource Manager
File Server provides a number of features for managing and classifying data stored on file servers
data. The Resource Manager File Server includes the following features:
File Classification Infrastructure Provides an insight into your data, which facilitate more efficient
data management is made possible by automating classification processes. You can classify files
and apply policies based on this classification. Example policies include dynamic access control
for restricting file access, file encryption and file expiration. Files can be automatically classified
based on file classification rules or manually by changing the properties of a selected file or
folder.

File Management Tasks


Apply a conditional policy or action for files based on their classification. Among the conditions of
a file management task include the file location, the classification properties, the creation date of
the file, the date the file was last modified or the date the file was last accessed. Among the
possible actions for a file management task includes the ability to run off of files, to encrypt files or
to execute a custom command.

Quota Management
Limit the allowed for a volume or folder location, and can be automatically applied to new folders
that are created on a volume. You can also define quota templates that can be applied to new
volumes or folders.

File Screening Management


Controls the types of files that users can save on a file server. You can restrict the extensions that
can be stored on the file share. For example you can create a file screen, which prevents files are
saved with the extension MP3 in personal shared folders on a file server.

Storage Reports
Identify trends in disk usage and the way in which the data are classified. Storage Reports also
monitor attempts to selected user groups to save unauthorized files.
The features of the File Server Resource Manager can be configured and managed with the
MMC Resource Manager File Server or with Windows PowerShell.

QUESTION 387
Your corporate network includes an Active Directory Domain Services (AD DS) domain named
contoso. The domain contains a Windows Server 2012 R2 member server named Server1.
On Server1 role service Resource Manager is installed on the file server.
You need to configure Server1 to the following requirements:

- Old files that are located in a folder named Folder1, must be moved to
a folder named Archiv1.
- All reports must be stored in a network share.

Which two nodes need to Configure? (To be configured dialog box shown in the picture. Click the
Drawing button.)

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 354
http://www.braindump2go.com
A. Resource Manager File Server (locally)
B. Quotas
C. File Screens
D. Storage Reports Management
E. Classification rules
F. File management tasks

Answer: AF
Explanation:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 355
http://www.braindump2go.com
For moving old files a file management task can be type file sequence are created.
The locations for reports on the roster report locations are configured in the Options for the
Resource Manager file server. By default, the reports are stored in a local directory.

QUESTION 388
You are working as a server administrator for the company Contoso.
You administer a Windows Server 2012 R2 Server Core computer named Server1.
Server1 is used as a file server.
You must ensure that users register previous versions can use to access previous versions of
files.
Which tool will you use?

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 356
http://www.braindump2go.com
A. Wbadmin
B. Diskpart
C. Storrept
D. Vssadmin

Answer: D
Explanation:

With previous versions, you can access previous versions of files and folders that are shared on
your network. This can be accessed on previous versions of files, must "Shadow Copies of
Shared Folders" is enabled on the file server. Previous versions are read-only until the
restoration. A previous version of the file on the server can not be changed. Calling an earlier
version of a file

Locate the file (on the network), from which you want to view an earlier version, you click with the
right mouse button, and select Properties.

On the Previous Versions tab, select the desired version, and click Open.
In a full installation of Windows Server 2012 R2, you can enable earlier versions of the properties
of the volume.

A Server Core version, you can use the administrative command-line tool of the Volume Shadow
Copy Service (Vssadmin). To enable Shadow Copies of Volume D and to save on volume E
example, you can run the following command:

Vssadmin Add ShadowStorage /for=d: /on=e: /maxsize=2GB

QUESTION 389
Your corporate network includes two Active Directory Domain Services (AD DS) domains.
contoso.com The names of the domains loud and traincert.com.
You administer a Windows Server 2012 R2 computer that is named Server1.
On Server1, the DNS server role is installed.
The server hosting a copy of the zone contoso.com.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 357
http://www.braindump2go.com
You need to configure Server1 traincert.de for the resolution of the name of the zone.
Your solution must meet the following requirements:

- It must be avoided that the configuration of the name servers of the


zone traincert.de must be adapted when it changes.
- The administrative expenses for the maintenance and care of your
solution should turn out as low as possible.

What type of zone you are using?

A. A primary zone
B. A secondary zone
C. A reverse lookup zone
D. A stub zone

Answer: D
Explanation:
Stub zones contain only name server records (NS) and its host (A) records. The DNS client can
retrieve a list of authorized name servers on the stub zone. The host changes (A) entry of a name
server is a stub zone (as opposed to a delegated zone) automatically updated. There are no
manual steps to adapt the Domain Name System (DNS) is required.

QUESTION 390
The Domain Name System (DNS) supports numerous types of entries.
Which listing type associates a domain name, such as www.google.com, with an IP address?

A. A
B. CNAME
C. MX
D. PTR

Answer: A
Explanation:
domains are managed through a worldwide system of domain registrars and databases. The
DNS (Domain Name System) provides mappings between human-readable computer hostnames
and the IP addresses used by the network devices. Basic knowledge of DNS and domain
registrars help administrators manage domains. Domain names are used in URLs and e-mail
addresses that are associated with one or more IP addresses. Domain names consist of several
levels. For example, the domain name "mail.contoso.com" for the following three levels:

.com is the top-level domain.


contoso is the second-level domain.
mail is the third level domain.

Understanding DNS record types and functions


DNS records are used to route traffic from one and a domain. These entries a domain name of a
specific IP address is assigned. The following commonly used DNS records and their functions
are listed:

Name Server Entry


Specifies which name servers are used as the authoritative name server for a given domain. DNS
information can be temporarily stored on multiple name servers, after the non-authoritative name

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 358
http://www.braindump2go.com
server caches contact but the authoritative name server to obtain updated information about a
domain.
A record (address entry) assigns a domain name to an IP address.

CNAME
record (Alias or canonical name) Specifies that it is the domain name is an alias of another
canonical domain name. When hit by a name server for a domain and a CNAME record is found,
the first domain name is replaced with the CNAME and then looks for the new name.

MX record
(mail exchanger) Specifies the server are routed to the e-mails. The entry also contains a priority
field so that e-mail messages can be sent in the prescribed sequence to multiple servers.

SPF
(Sender Policy Framework) A verification system for e-mail, which was developed to prevent e-
mail spoofing and phishing-.

SRV
record (service record) Specifies information about available services. SRV records are used by
some Microsoft cloud services such as Lync Online and Exchange Online, for coordinating the
flow of information between different services.

QUESTION 391
Your company network includes a router with the name Router1. Router1 provides access to the
Internet. You use a Windows Server 2012 R2 computer that is named Server1.
Server1 used Router1 as the default gateway.
One of your colleagues take a new router with the name Router2 in operation.
Router2 also provides access to the Internet.
The internal interface of Router2 is configured with the IP address 10.1.14.254.
You need to configure Server1 so that Router2 is used for connections to Internet resources
when Router1 fails.
What step to run on Server1?

A. Create a route to network 10.1.14.0/24. Enter the IP address 10.1.14.254 as a gateway for the
route and set the metric of the route with 500 fixed.
B. Add the IP address 10.1.14.254 as the default gateway added and set the metric of the route with
500 fixed.
C. Create a route to network 10.1.14.0/24. Enter the IP address 10.1.14.254 as a gateway for the
route and set the metric of the route with 1 fixed.
D. Add the IP address 10.1.14.254 as the default gateway added and set the metric of the route with
1 fixed.

Answer: B
Explanation:
The metric indicates the cost of a route. Existence to a destination several routes at different
speeds, availability or connection costs, as can be done with the metric to prioritize the route
using. The higher the value of the metric of a route, the higher the costs and correspondingly
lower the route is prioritized. Since Windows XP Professional defaults automatically assigned to
the metric based on the transmission rate. The interface metric is added to the metric of a default
gateway. The sum results in the effective metric of the resulting default route.

QUESTION 392
Your corporate network includes an Active Directory Domain Services (AD DS) domain

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 359
http://www.braindump2go.com
certbase.de named.
You have a new Group Policy object (GPO) created to configure the Windows Update settings.
Currently the client computers are configured so that updates can be downloaded from the
Microsoft Update servers gladen.
The users determine when the updates are installed.
To configure the client computer so that Windows updates are installed automatically.
Which policy will configure?

A. Enable Windows Update Power Management to reactivate the system to install scheduled
updates automatically.
B. Configure Automatic Updates
C. Specify intranet Microsoft update service
D. Search frequency for automatic updates
E. Install Automatic Updates Immediately
F. Enable Client-side target allocation

Answer: B
Explanation:

Notes:
The policy Configure Automatic Updates. Specifies whether the computer receives security
updates and other important downloads through the Windows Automatic Updates service and
when they are installed If the service is enabled, you must select in the Group Policy setting one
of the following four options :

2 = notify before downloading any updates and notify again before installation. If Windows
detects updates that can be applied to the computer, an icon in the status area with a message
that informs you that updates are available for download. Clicking the icon or message, you can

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 360
http://www.braindump2go.com
select to download updates. The selected updates are then downloaded from Windows in the
background. After downloading is complete, an icon in the status area again displayed that
informs you that the updates can be installed. When you click the icon or message, you can
select the updates that you want to install.

Automatically download 3 = (default) updates and notify you of updates installable Windows
checks for updates that can be applied to the computer, and loads these automatically in the
background without (the user is not notified during the process or disturbed). After downloading
has been completed, the status area, the icon is displayed, informing you that the updates can be
installed. When you click the icon or message, you can select the updates that you want to install.

Automatically download 4 = Updates and schedule that I specify install Specify the schedule
using the options in the Group Policy setting. By default installations are planned daily for 3 clock
in the morning, if no timetable is given. The completion of the update installation, if a restart is
required, Windows will automatically restart the computer. (If a user is logged on to the computer
when Windows is restarted, the user is notified and can delay the restart.) Windows 8 and
Windows RT: The option to specify the schedule in the Group Policy setting has no effect.

The planning option under "Computer Configuration" -> "Administrative Templates" ->
"Windows Components" - specify> "Activation limit for maintenance" -> "Maintenance
Schedule".

By default installations are planned during the standard maintenance window at 3 clock in the
morning, if no timetable is given. To complete the installation of security updates, if a restart is
required, Windows automatically restarts the computer after the user has been notified of an
impending automatic restart in a given period. If a user is logged on to the computer and a
potential state or data loss is present when Windows is restarted, the restart is delayed until next
unlock the computer by the user.

5 = places allow administrators to select the configuration mode for the update installation
through Automatic Updates This option can be enabled with local administrators, on the Control
Panel icon "Automatic Updates" option to select a configuration. You can select a date for a
planned installation example itself. Local administrators will not be allowed to disable the
configuration for "Automatic Updates". If you want to use this setting, click "Enable", and then
select one of the options (2, 3, 4 or 5). If you choose option 4, you can set a regular schedule (no
schedule specifying all installations are carried out by 3 clock in the morning every day). In
Windows 8 and Windows RT, you can define "Activation limit for maintenance Computer
Configuration \ Administrative Templates \ Windows Components \ Maintenance Schedule \" the
schedule below. If no schedule is specified, all installations are carried out during the standard
maintenance window at 3 clock in the morning.

QUESTION 393
Your corporate network includes an Active Directory Domain Services (AD DS) domain cblabs.de
named. The domain contains two Windows Server 2012 R2 member server with the name
Server3 and Server4. Your manager wants to implement a centralized location where the system
events of all servers in the domain can be collected.
One of your colleagues created on Server3 a collection initiated event subscription for Server4.
To determine that Server3 has received no events of Server4 and check the runtime status of the
subscription.
The runtime status shows the following error: The value passed to a system call data area is too
small. You must ensure that the system events can be collected from Server4 on Server3. What
settings you will configure? (To be configured dialog box is shown in the picture. Click the
Drawing button.)

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 361
http://www.braindump2go.com
A. Target Protocol
B. Select Computer
C. Select events
D. Advanced

Answer: C
Explanation:
The error message described above can occur if selected during Initials transfer too many events.
To avoid the problem, the number of events for the first transmission should be reduced by
limiting the event categories. Once the initial merge is successfully completed, the selection of
events can be expanded again. There is a post in the Windows support forums, describing the
error and correct it.

QUESTION 394
Your corporate network includes an Active Directory Domain Services (AD DS) domain
contoso.com . On all domain controllers running Windows Server 2012 R2 is installed.
A support technician installed at an outdoor location Windows Server 2012 R2 on a server named
DC10.
DC10 is currently a member of a workgroup.
You plan DC10 to a read-only domain controller (RODC) heraufzustufen.
You must ensure that a user can promoted to a read-only domain controller with the username
certbase \ Tom DC10.
Your solution must the permissions that are granted to Tom, minimize.
How do you proceed?

A. Take DC10 to the domain. Run Dsmod.exe and enter the parameter / server to.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 362
http://www.braindump2go.com
B. Use the console Active Directory Users and Computers, and then run the wizard for assigning
object management for the domain object from contoso.com.
C. Use the Active Directory Administrative Center and create an account for a read-only domain
controller.
D. Use the command-line utility Dsmgmt.exe and run the command Local Roles from.

Answer: C
Explanation:
Use the context menu of the container domain controller you can access an assistant for a
preliminary deployment of an account for a read-only domain controller. The wizard asks the
name of the RODC, the destination site and the user account of a person from whom the
permissions are delegated to install the read-only domain controller. The figure shows the
relevant page of the wizard:

QUESTION 395
Your corporate network includes an Active Directory Domain Services (AD DS) domain
contoso.local. The domain contains two Active Directory sites with the names Site1 and Site2.
You are planning to provide a read-only domain controller (RODC) named RODC 1 in Site2.
You use the console Active Directory Users and Computers and prepare an account for a read-
only domain controller.
You must determine which domain controller is used during the promotion process of RODC 1 for
the initial replication.
Which tab in the properties of the prepared computer account you are using ? (to be configured
dialog box shown in the picture. Click the Drawing button.)

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 363
http://www.braindump2go.com
A. General
B. Password Replication Policy
C. Attribute Editor
D. Location
E. Dialup
F. Delegation

Answer: A
Explanation:
About the Register General can be accessed on the NTDS settings RODC-1. In the properties of
the NTDS Settings of the source DC for replication is listed:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 364
http://www.braindump2go.com
QUESTION 396
Your corporate network includes an Active Directory Domain Services (AD DS) domain
contoso.local.
All servers running Windows Server 2012 R2 is installed.
To configure three domain controller server as a global catalog.
The domain controller associated with a site called SiteA.
You open the snap-in Active Directory Sites and Services.
Which settings should you edit?

A. The settings of the subnet that is associated with SiteA.


B. The settings of the Location object of SiteA.
C. The NTDS Site Settings from SiteA.
D. The NTDS Settings of the three domain controllers.

Answer: D
Explanation:
Enabling the Global Catalog is done at the level of the domain controller in the NTDS Settings for
the domain controller.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 365
http://www.braindump2go.com
QUESTION 397
Your network includes an Active Directory Domain Services (AD DS) domain contoso.loca.
The domain contains a Windows Server 2012 R2 member server named Server1.
To create a group managed service account named gService1.
You must configure a service named service1 so that it is executed in the security context of
gService1 account.
How do you proceed?

A. Run the PowerShell cmdlet Set-Service in conjunction with the parameter -PassThrough.
B. At a command prompt with elevated privileges, the command-line utility SC.exe in conjunction
with the parameter config.
C. Perform at the PowerShell cmdlet set service in conjunction with the parameter -StartupType.
D. At a command prompt with elevated privileges, the command-line utility SC.exe in connection
with the parameter control of.

Answer: B
Explanation:
This command-line utility Sc.exe beietet extensive options for configuring and controlling
services. The identity of a service can be set, for example with the following call:
Sc config Dienst1 obj=CertBase\gService1 password=myPassword

QUESTION 398
Your network contains an Active Directory domain named contoso.com.
The domain contains a domain controller named DC1 that runs Windows Server 2012.
You have a Group Policy object (GPO) named GPO1 that contains several custom Administrative
templates.
You have the display for the settings of the GPO filter so that only settings are shown that are
removed from the registry when the GPO is no longer in range of the computer or the user.
Your solution must ensure that only settings are displayed that are either enabled or disabled and
do not contain a comment.
How should you configure the filter?
To answer, select the appropriate options below. Select three.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 366
http://www.braindump2go.com
Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 367
http://www.braindump2go.com
A. Set Managed to: Yes
B. Set Managed to: No
C. Set Managed to: Any
D. Set Configured to: Yes
E. Set Configured to: No
F. Set Configured to: Any
G. Set Commented to: Yes
H. Set Commented to: No
I. Set Commented to: Any

Answer: ADH

QUESTION 399
Your network contains an Active Directory domain named contoso.com.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 368
http://www.braindump2go.com
All client computers run Windows 8 Pro.
You have a Group Policy object (GPO) named GP1. GP1 is linked to the domain. GP1 contains
the Windows Internet Explorer 10 and 11 Internet Settings.
The settings are shown in the exhibit.

Users report that when they open Windows Internet Explorer, the home page is NOT set to http://
www.contoso.com.
You need to ensure that the home page is set to http://www.contoso.com the next time users log
on to the domain.
What should you do?

A. On each client computer, run gpupdate.exe.


B. Open the Internet Explorer 10 and 11 Internet Settings, and then press F5.
C. Open the Internet Explorer 10 and 11 Internet Settings, and then modify the Tabs settings.
D. On each client computer, run Invoke-GPupdate.

Answer: B
Explanation:
Since the introduction of Windows Server 2012 and Windows 8, you can group policy settings for
all computers in an organizational unit remotely from a central location using the Group Policy
Management Console (Group Policy Management Console GPMC) update. Alternatively you can
use the Invoke-GPUpdate cmdlet to update the Group Policy of a sentence using computer,

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 369
http://www.braindump2go.com
which is not limited to the organizational unit, for example, if the computers are located in the
default Computers container. When Remote Update Group Policy all Group Policy settings to be
updated, including for group of remote computers specified security settings. For this functionality
is used, which was added to the context menu of an organizational unit in the Group Policy
Management Console (GPMC). If you select an organizational unit for the remote update of the
Group Policy settings on all computers that OU, the following actions occur:
An Active Directory query returns a list of all computers in the organizational unit back.
For each computer the selected organizational unit WMI call retrieves the list of registered users.
A remote scheduled task is created to Gpupdate.exe / force run for each logged-in user and
once to update the Group Policy of the computer. The scheduled task is scheduled to run with a
random delay of up to 10 minutes to reduce the burden of network traffic. This random delay can
not be configured when using the GPMC. By contrast, you can configure or specify that the
scheduled task when using the random delay for the scheduled task Invoke-GPUpdate cmdlets
is executed immediately.

QUESTION 400
Your corporate network includes an Active Directory Domain Services (AD DS) domain contoso.
On all domain controllers running Windows Server 2012 R2 is installed.
The domain contains a Group Policy object (GPO) named GPO1.
One of your colleagues makes a backup of GPO1 and stores them on a USB flash drive.
You connect the USB flash drive with a domain controller named dc1.contoso.
You must identify the domain-specific references in GPO1.
How do you proceed?

A. from migrator table editor, click populate from gpo


B. from migrator table editor, click populate from backup
C. from gpm, run Group Policy Management modelling wizard
D. from Group Policy Management, run gp results wizard

Answer: B
Explanation:

A migration table is when you copy or import a GPO (Group Policy Object, GPO) from one
domain or forest used in another. The biggest challenge when migrating GPOs from one domain
or forest to another is that some information in the GPO specifically relate to the domain or forest
where the GPO is defined.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 370
http://www.braindump2go.com
When transferring the GPO to a new domain or forest, it is not always desirable or possible to use
exactly the same settings.

You can use a migration table to refer to users, groups, computers, and UNC paths in the source
GPO and then new values in the destination GPO to assign.

QUESTION 401
Your corporate network includes an Active Directory Domain Services (AD DS) domain contoso.
On all domain controllers Windows Server 2012 R2 is installed. The domain contains two
organizational units (OUs) containing the names OU1 and OU2. Both organizational units are
located in the root directory of the domain. They create two GPOs (GPOs) containing the names
and GPO1 GPO2.
To associate with GPO1 OU1 and OU2 GPO2 with. OU1 contains a computer account named
Desktop1.
OU2 includes a user account that is named User1.
You must make sure that is GPO1 applied to user1 when user1 logs in.
What do you configure?

A. The Group Policy Object Status.


B. The Group Policy Object Links.
C. The option Enforced.
D. The security filtering

Answer: B
Explanation:
To ensure that the settings are applied from GPO1 on User1, we can either move the account of
user1 in the organizational unit OU1 or link the GPO GPO1 in addition to the existing link with
OU1 with OU2. Alternatively, it would also be possible to activate the loopback processing for the
user settings.

QUESTION 402
Your corporate network includes an Active Directory Domain Services (AD DS) domain contoso
The domain contains a Windows Server 2012 R2 computer that is named Server1.
On Server1 role service RD Session Host is installed.
The computer account of Server1 is in an organizational unit (OU) named OU1.
You create a Group Policy object (GPO) named GPO1 and link it to OU1. The settings of GPO1
are shown in the picture (click on the button drawing).
You must prevent the settings are applied from GPO1 on Tom's account when Tom logs on to

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 371
http://www.braindump2go.com
Server1. However GPO1 must be applied to all other users who log on to Server1.
What you configure?

A. Security Filtering
B. WMI Filtering
C. Disabling the Policy Inheritance
D. Item-level targeting

Answer: A
Explanation:
GPO1 is for the loopback of user Group Policy mode Replace configured. Regardless of where
Tom's account is stored, the user configuration settings from GPO1 be applied. In order to avoid
that GPO1 applied to Tom, we can configure the security settings of the GPO so that Tom be
refused to take over the rights.
For the Apply the settings of a GPO, the permissions Read and Apply Group Policy required.

QUESTION 403
They are active as an IT consultant for a fashion company.
The company uses an Active Directory forest with a single domain.
The manager of the company reports that it gets displayed a desktop background, whom he has
not chosen himself.
In an interview with the IT department, you will learn that a former colleague more than 20 Group
Policy objects (GPOs) created and it has not yet succeeded, determine which GPO configures
the desktop background of the manager.
How do you support the IT department in solving the problem?

A. From Group Policy Management, run the Group Policy Results Wizard.
B. Run the Group Policy Results Wizard for the computer account of the manager.
C. Run the Group Policy Results Wizard for the user account of the manager.
D. Run the Group Policy Results Wizard for all computer accounts to the domain.

Answer: C
Explanation:
The configuration of the desktop background is part of the user configuration. By carrying out the
Group Policy Results Wizard for the user account of the manager can be found, which GPOs
(GPOs) are applied to the order in which the user account of the manager. In addition, the report
of the Group Policy Results Wizard can be seen that each GPO is crucial for the effective
configuration of the individual directives.

QUESTION 404
Drag and Drop Question
Your network contains a single Active Directory domain named contoso.com.
The domain contains an Active Directory site named Site1 and an organizational unit (OU) named
OU1. The domain contains a client computer named Client1 that is located in OU1 and Site1.
You create five Group Policy objects (GPO).
The GPOs are configured as shown in the following table.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 372
http://www.braindump2go.com
You need to identify in which order the GPOs will be applied to Client1.
In which order should you arrange the listed GPOs? To answer, move all GPOs from the list of
GPOs to the answer area and arrange them in the correct order.

Select and Place:

Answer:

Explanation:
Basically determines the order in which the GPOs are applied by Group Policy, the ranking.
The default order is local, site, domain, organizational unit and subordinate organizational units
(OU LSD). Therefore GPOs have in child OUs overrides associated with parent OUs GPOs. This
in turn take precedence over the domain linked GPOs, which take precedence over the site linked
GPOs. Direction for use, or LSD-OU (LSDOU)

Local Policy

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 373
http://www.braindump2go.com
GPOs that are linked to the site
GPOs that are linked to the domain
GPOs that are linked to organizational units (from the parent OU to subordinate)

The Standardreiehnfolge processing can be set by forcing a Group Policy object or by disabling
the inheritance of a GPO repealed. Enforced When a GPO enforced it will put at the end of the
processing sequence. If more than one GPO to "forced" option is enabled, the GPOs are applied
in reverse default order (L-OU-DS). In this way ensures that the settings of Domain Admins will
not be overwritten by forcing the settings of a Delegated Administrator at a subordinate level. If
several enforced GPO objects linked on the same level as, shall be the highest priority by (the
sorted upwards). Inheritance disable The above the OU linked GPOs are not inherited or
blocked. Is activated by a higher-level object "forced", so the inheritance can not be prevented.
Thus, the Domain Administrator can always prevail with its settings.

QUESTION 405
Drag and Drop Question
Your network contains a production Active Directory forest named contoso.com and a test Active
Directory forest named test.contoso.com.
There is no network connectivity between contoso.com and test.contoso.com.
The test.contoso.com domain contains a Group Policy object (GPO) named GPO1.
You need to apply the settings in GPO1 to the contoso.com domain.
Which four actions should you perform? To answer, move the four appropriate actions from the
list of actions to the answer area and arrange them in the correct order.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 374
http://www.braindump2go.com
Explanation:
1. Run the Backup-gpo cmdlet
2. User removable media to transfer the contects of test.contoso.com to contoso.com
3. Create a gpo in contoso.com
4. Run the import-gpo cmdlet
http://technet.microsoft.com/en-us/library/ee461050.aspx
http://technet.microsoft.com/en-us/library/ee461044.aspx

QUESTION 406
Drag and Drop Question
Your network contains an Active Directory domain named contoso.com.
All client computers run Windows 7. Group Policy objects (GPOs) are linked to the domain as
shown in the exhibit. (Click the Exhibit button.)
GP02 contains user configurations only and GP03 contains computer configurations only.
You need to configure the GPOs to meet the following requirements:

- Ensure that GP02 only applies to the user accounts in OU2 that are
members of a global group named Group2.
- Ensure that GP03 only applies to the computer accounts in OU3 that
have more than 100 GB of free disk space.

What should you do?


To answer, drag the appropriate setting to the correct GPO. Each setting may be used once,
more than once, or not at all. You may need to drag the split bar between panes or scroll to view
content.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 375
http://www.braindump2go.com
Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 376
http://www.braindump2go.com
QUESTION 407
Drag and Drop Question
Your network contains an Active Directory domain named contoso.com.
You deploy a web-based application named App1 to a server named Server1.
App1 uses an application pool named AppPool1.
AppPool1 uses a domain user account named User1 as its identity.
You need to configure Kerberos constrained delegation for User1.
Which three actions should you perform? To answer, move the three appropriate actions from the
list of actions to the answer area and arrange them in the correct order

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 377
http://www.braindump2go.com
QUESTION 408
Drag and Drop Question
Your network contains an Active Directory domain named contoso.com. All client computers run
Windows 8. Group Policy objects (GPOs) are linked to the domain as shown in the exhibit. (Click
the Exhibit button.)

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 378
http://www.braindump2go.com
GPO2 contains computer configurations only and GP03 contains user configurations only.
You need to configure the GPOs to meet the following requirements:

- Ensure that GPO2 only applies to the computer accounts in OU2 that
have more than one processor.
- Ensure that GP03 only applies to the user accounts in OU3 that are
members of a security group named SecureUsers.

Which setting should you configure in each GPO? To answer, drag the appropriate setting to the
correct GPO. Each setting may be used once, more than once, or not at all. You may need to
drag the split bar between panes or scroll to view content.

Answer:

QUESTION 409
Drag and Drop Question
Your network contains an Active Directory forest named contoso.com. Recently, all of the domain
controllers that ran Windows Server 2003 were replaced by domain controllers that run Windows
Server 2012 R2.
From Event Viewer, you discover SYSVOL journal wrap errors on a domain controller named
dclO.contoso.com.
You need to perform a non-authoritative synchronization of SYSVOL on DC10.
Which three actions should you perform on DC10?
To answer, move the three appropriate actions from the list of actions to the answer area and

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 379
http://www.braindump2go.com
arrange them in the correct order.

Answer:

QUESTION 410
Hotspot Question
Your network contains an Active Directory domain named contoso.com.
The domain contains a domain controller named DC1 that runs Windows Server 2012.
The domain contains some test client computers that run either Windows XP, Windows Vista,
Windows 7, or Windows 8.
The computer accounts for the test computers are located in an organizational unit (OU) named
OU1.
You have a Group Policy object (GPO) named GP01 linked to OU1.
GPO1 is used to assign several applications to the test computers.
You need to ensure that when the test computers in OU1 restart, you can see which application
installation is running currently.
Which setting should you modify in GPO1? To answer, select the appropriate setting in the

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 380
http://www.braindump2go.com
answer area.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 381
http://www.braindump2go.com
Explanation:
The guidelines shown are located in the section Computer Configuration\Administrative
Templates\System.

Directive: Show Extremely detailed status messages

This policy setting directs the system to display highly detailed status messages.

This policy setting is intended for advanced users who need this information.

If this . enable policy setting, status messages are displayed for each individual step in the
startup, shutdown, logon or logoff

If you disable this policy setting or do not configure, only the standard system messages are
displayed during these operations.

Note: This policy setting is ignored if the setting "" Status messages to reboot, shutdown, login
and logout remove "" is enabled.

QUESTION 411
Hotspot Question
Your network contains an Active Directory domain named fabrikam.com.
You implement DirectAccess and an IKEv2 VPN.
You need to view the properties of the VPN connection.
Which connection properties should you view? To answer, select the appropriate connection
properties in the answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 382
http://www.braindump2go.com
Answer:

Explanation:
Position 1 symbolizes a wired network connection. Position 2 indicates the DirectAccess
connection. Is located at position 3 the known symbol of wireless (WIFI) connection and the
symbol in position 4 identifies a VPN connection.

QUESTION 412
Hotspot Question
Your network contains an Active Directory domain named corp.contoso.com.
The domain contains two member servers named Server1 and Edge1.
Both servers run Windows Server 2012. Your company wants to implement a central location
where the system events from all of the servers in the domain will be collected.
From Server1, a network technician creates a collector-initiated subscription for Edge1.
You discover that Server1 does not contain any events from Edge1.
You view the runtime status of the subscription as shown in the exhibit.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 383
http://www.braindump2go.com
You need to ensure that the system events from Edge1 are collected on Server1.
What should you modify? To answer, select the appropriate object in the answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 384
http://www.braindump2go.com
Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 385
http://www.braindump2go.com
Explanation:
If you intend to specify a user account by using the Specific User option in Advanced Subscription
Settings when creating the subscription, you must ensure that account is a member of the local
Administrators group on each of the source computers
http://technet.microsoft.com/en-us/library/cc748890.aspx

QUESTION 413
Hotspot Question
Your network contains an Active Directory domain called contoso.com.
The domain contains a domain controller named DC1 that runs Windows server 2012.
The domain contains some test client computers that run either Windows XP, Windows Vista,
Windows 7, or Windows 8.
The computer accounts for the test computers are located in an organizational unit (OU) named
OU1.
You have a Group Policy object (GPO) named GPO1 linked to OU1.
GPO1 is used to assign several applications to the test computers.
You need to ensure that when the test computers in OU1 restart, you can see which application
installation is running currently.
Which setting should you modify in GPO1? To answer, select the appropriate setting in the
answer area.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 386
http://www.braindump2go.com
Answer:

Explanation:
Allows you to receive verbose startup, shutdown, logon, and logoff status messages.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 387
http://www.braindump2go.com
Verbose status messages may be helpful when you are troubleshooting slow startup, shutdown,
logon, or logoff behavior.
http://support.microsoft.com/kb/325376

QUESTION 414
Hotspot Question
Your network contains an Active Directory forest named contoso.com.
The forest contains a single domain. The DNS zone is Active Directory-integrated contoso.local
and configured so that the zone data to all DNS servers running on domain controllers in the
domain certbase.de replicated. Server1 is a member server of the domain.
The IP address of Server1 is in the zone contoso.local registered.
You must determine when the DNS record of Server1 was last updated.
In which Active Directory partition to see the DNS record of a Server1? (To be configured dialog
box shown in the picture. Click the Drawing button.)

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 388
http://www.braindump2go.com
Explanation:
In the task is mentioned that the zone data to all DNS servers running on domain controllers in
the domain certbase.de replicated.
The zone data is consequently in the Active Directory partition DomainDnsZones saved.

QUESTION 415
File1 has been encrypted by Contoso\admin1
File2 has been encrypted by Server1\admin1
File3 has been encrypted by Server1\administrator

You need to back up the DRA agents.


Who is the owner of each of the agents.
There is a selection of drop down boxes.
You should to select one in every file.

File1: Contoso\admin
Contoso\administrator
Server1\admin1
Server1\administrator

File2: Contoso\admin
Contoso\administrator
Server1\admin1
Server1\administrator

File3: Contoso\admin
Contoso\administrator
Server1\admin1
Server1\administrator

Answer:
Contoso\administrator;Server1\administrator;Server1\administrator;

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 389
http://www.braindump2go.com
Explanation:
https://technet.microsoft.com/en-us/library/cc512680.aspx
By default, the data recovery agent is defined to be the administrator account. On stand-alone
workstations and workgroup machines, the administrator account is the local administrator; on
domain-joined machines, the administrator account is the first domain controller's administrator
account.
I think the first one is in the Contoso Domain, so the Agent should be Contoso/Administrator.
The other ones seem to be a local machine. It depends how the question introduced the
machines. But I would say these are local ones. So the agent should be Server1/Administrator in
both cases.
File1 has been encrypted by Contoso\admin1
File2 has been encrypted by Server1\admin1
File3 has been encrypted by Server1\administrator

QUESTION 416
Transferring FSMO Roles with MMC Tool
You plan to transferring DC that holding FSMO roles.
You need to select which tools can use to transfer domain naming master role and Operations
master roles.

Answer:
I ALSO HAD THIS ONE ON THE EXAM, BUT I’M MIGHT BEING MISSING A LITTLE DETAIL,
BUT I SURE IS 90% COMPLETE.

This are extra information, just in case they change de question!

SUMMARY

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 390
http://www.braindump2go.com
There are five Flexible Single Master Operations (FSMO) roles in a Windows 2000 forest.
There are two ways to transfer a FSMO role in Windows 2000. This article describes how to
transfer all five FSMO roles by using Microsoft Management Console (MMC) snap-ins. The five
FSMO roles are:

Schema Master - One master role holder per forest. The schema master FSMO role holder is the
domain controller responsible for performing updates to the directory schema.

Domain Naming Master - One master role holder per forest. The domain naming master FSMO
role holder is the DC responsible for making changes to the forest-wide domain name space of
the directory.

Infrastructure Master - One master role holder per domain. The infrastructure FSMO role holder
is the DC responsible for updating an object's SID and distinguished name in a cross-domain
object reference.

RID Master - One master role holder per domain. The RID master FSMO role holder is the single
DC responsible for processing RID Pool requests from all DCs within a given domain.

PDC Emulator - One master role holder per domain. The PDC emulator FSMO role holder is a
Windows 2000 DC that advertises itself as the primary domain controller (PDC) to earlier version
workstations, member servers, and domain controllers. It is also the Domain Master Browser and
handles password discrepancies.

For additional information about FSMO roles in Windows 2000, click the article number below to
view the article in the Microsoft Knowledge Base:
197132 Windows 2000 Active Directory FSMO Roles

Note To successfully perform the steps in this article, you must be a member of the Enterprise
Administrators group.

You plan to transferring DC that holding FSMO roles.


You need to select which tools can use to transfer domain naming master role and Operations
master roles.

QUESTION 417
What roles do you use to move and domain naming server and infrastructure master?

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 391
http://www.braindump2go.com
Answer:

QUESTION 418
Which 2 tools to use for the Export of the DFS Files and Database to a new replica DFS
Choose from 4 options amongst which are:

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 392
http://www.braindump2go.com
Explanation:
I ALSO HAD THIS ONE ON THE EXAM, BUT I’M MIGHT BEING MISSING A LITTLE DETAIL,
BUT I SURE IS 90% COMPLETE.
Robocopy

The Robocopy (Robust File Copy) command-line utility is included with Windows Server 2012 R2,
Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008. The utility provides
extensive options that include copying security, backup API support, retry capabilities, and
logging. Later versions include multi-threading and un-buffered I/O support.

https://technet.microsoft.com/en-us/library/dn495044.aspx
https://technet.microsoft.com/en-us/library/dn495052.aspx

QUESTION 419
You have a WSUS server and you have a user that needs french windows updates.
You check the server and you only have english.
What should you do?

Answer: “You must configure the Upstream WSUS server (root WSUS server)
to download updates in all languages that are used throughout the
entire organization.”

Explanation:
https://technet.microsoft.com/en-us/library/hh328568(v=ws.10).aspx

QUESTION 420

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 393
http://www.braindump2go.com
You have a group managed Service Account name Account01.
Only three servers named Server01, Server02 and Server03 are allowed to use Account01
service account.
You plan to decommission Server01.
You need to prevent Server01 from using the Account01 service account.
The solution must ensure that Server02 and Server03 continue to use the Account01 service
account What command should you run? To answer, select the appropriate options in the answer
area.

A. Set-ADServiceAccount
B. Uninstall-ADServiceAccount
C. remove-ADServiceAccount
D. Reset-ADServiceAccountPassword

Answer: D
Explanation:
https://technet.microsoft.com/en-us/library/ee617190.aspx
https://www.petri.com/restrict-privileged-accounts-with-authentication-silos-in-windows-server-
2012-r2

QUESTION 421
Create a starter gpo call Starter_GPO, and assign edit permission to a group Group1 Create a
new gpo called GPO1

A. *** in GPO1
B. change Administrative Template in GPO1
C. change the Group policy preference of Starter_GPO
D. change the permission of Starter_GPO

Answer: C

QUESTION 422
One user needed a mapped drive but if they had it already you weren't to replace it.
another user had a mapped drive.
You need to update the UNC but not any other settings.

Answer:

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 394
http://www.braindump2go.com
QUESTION 423
Direct access that slow inernet and intranet for users in office.
Without Direct Access users have no issue.
What cause the problem?

Answer: "enforce tunneling"

QUESTION 424
How to add the company name with the direct-access connection; the name has to appeared
when user click on network icon.

A. add a friendly name

Answer: A
Explanation:
On network connectivity assistant page, "add a friendly name"
Provide a friendly name for the DirectAccess connection.
This name appears in the network list when users click the network icon in the notification area.
Select the Allow DirectAccess clients to use local name resolution check box, if required.
http://technet.microsoft.com/en-ca/library/jj134239.aspx

QUESTION 425
You Create Service Account: Service NT\Service1.
You see the Service1 Properties Popup.
The question is: What kind of Account is the service Account used on the computer?

"virtual Account" ,

Which account is used when this Serviceaccount gets into Network? - If a service accesses the
network while running as a virtual account, it accesses resources as the

Answer: “computer account” (DOMAIN\Computername$)

QUESTION 426
You have a group policy.
You need to add a comment into the group policy. How do you do this?

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 395
http://www.braindump2go.com
Answer: You edit the GPO Object

QUESTION 427
Active Directory Recycle Bin is enabled.
You discover that a support technician accidentally removed 100 users from an Active Directory
group named Group1 an hour ago.
You need to restore the membership of Group1.
What should you do?

A. Perform tombstone reanimation.


B. Export and import data by using Dsamain.
C. Perform a non-authoritative restore.
D. Recover the items by using Active Directory Recycle Bin.

Answer: D

QUESTION 428
Which command to list global object access auditing entries for file and folder on Server1

First Down-Drop option Second Down-Drop option


/type:File /view

auditpol.exe /get
can't remember /list
Get-ACL /resourceSACL
secedit.exe can't remember

Answer: Pending
Explanation:
http://technet.microsoft.com/en-us/library/ff625687.aspx

QUESTION 429
You need to use group Managed Services Accounts to identify on App1.
Need to drag-drop 3 process with correct in sequence steps.

Add-KdsRootKey
New-ADServiceAccount
Set-ADServiceAccount
Install-ADServiceAccount
Add modify to App1

Answer: Add-KdsRootKey, New-ADServiceAccount, Add modify to App1

QUESTION 430
How to give the minimum required permission to a user who wants to promote a RODC

A. Enterprise Admins
B. can't remember
C. can't remember
D. Domain Admins

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 396
http://www.braindump2go.com
Answer: A

QUESTION 431
Server1 download update from microsoft update.
You have Server2 that must syncronize update from Server1.
Have firewall separate between Server1 and Server2.
Which port should to open on Server2 to syncronize ?

A. 80
B. 443
C. 3389
D. 8530

Answer: D

QUESTION 432
How to create or remove service account?

A. Add-ADComputerServiceAccount
B. New-ADGroup

Answer: A
Explanation:
To create a new managed service account
Add-ADComputerServiceAccount

Creating and using managed service accounts

The following procedures can be used to create and administer managed service accounts.
To import the Active Directory module for Windows PowerShell

Click Start, click All Programs, click Windows PowerShell 2.0, and then click the Windows
PowerShell icon.
Run the following command: Import-Module ActiveDirectory.
To create a new managed service account

On the domain controller, click Start, and then click Run. In the Open box, type dsa.msc, and then
click OK to open the Active Directory Users and Computers snap-in. Confirm that the Managed
Service Account container exists.
Click Start, click All Programs, click Windows PowerShell 2.0, and then click the Windows
PowerShell icon.
Run the following command: New-ADServiceAccount [-SAMAccountName <String>] [-Path
<String>].
Associate the new MSA to the computer account by running the following command: Add-
ADComputerServiceAccount [-Identity] <ADComputer> <ADServiceAccount[]>

See Add-ADComputerServiceAccount for the complete syntax.

https://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx

QUESTION 433

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 397
http://www.braindump2go.com
You configure server1 for ssl for all wsus metadata by using a CA. Server2 must sync from
server1.

A. from iis, import certificate


B. from update services, windows server update services config wizard
C. cmd, wsutil.exe configssl server2
D. cmd, wsutil.exe configssl server1

Answer: D
Explanation:
Note, template command WSUSUtil.exe configuressl <Intranet FQDN of the site system server>.

QUESTION 434
You have a server named Server1.
You enable BitLocker Drive Encryption (BitLocker) on Server1.
You need to change the password for the Trusted Platform Module (TPM) chip.
What should you run on Server1?

A. Initialize-Tpm
B. Import-TpmOwnerAuth
C. repair-bde.exe
D. bdehdcfg-exe

Answer: B
Explanation:
The Import-TpmOwnerAuth cmdlet imports a valid Trusted Platform Module (TPM) owner
authorization value to the registry.
https://technet.microsoft.com/en-us/%5Clibrary/JJ603118(v=WPS.630).aspx

QUESTION 435
You deploy a Windows Server Update Services (WSUS) server named Server01.
You plan to use a Group Policy object (GPO) to configure all client computers to use Server01 as
a Microsoft update server and assign the client computers to computer groups.
You need to ensure that the computer are assigned to the correct computer groups automatically
when the GPO is deployed.
Which two actions should you platform before you deploy the GPO? Each correct answer
presents parts of solution.

A. From Windows PowerShell, run the Approve-WSUSUpdate cmdlet.


B. From Windows PowerShell, run the Add-WSUSUpdate cmdlet.
C. From the Update Service console, manually create the computer groups.
D. From the Update Service console, modify the Computers option.
E. From the Update Service console, modify the Products and Classifications options.

Answer: AC

QUESTION 436
Your Network contains oneActive Directory domain named contoso.com.
You pilot DirectAccess on the network.
During the pilot deployment, you enable DirectAccess only for a group Contoso\Test Computers.
Ones the pilot is complete, you need to enable DirectAccess for all the client computers in the

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 398
http://www.braindump2go.com
domain.
What should you do?

A. From Group Policy Management, modify the security filtering of an object named Direct Access
Server Setting Group Policy.
B. From Active Directory Users and Computers, modify the membership of the Windows
Authorization Access Group.
C. From Group Policy Management, modify the security filtering of an object named Direct Access
Client Setting Group Policy.
D. From Remote Access Management Console, run the remote access Server Setup wizard.

Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/jj574180.aspx
http://technet.microsoft.com/en-us/library/hh918432(v=wps.630).aspx

QUESTION 437
Your Network contains oneActive Directory domain named contoso.com.
You pilot DirectAccess on the network.
During the pilot deployment, you enable DirectAccess only for a group Contoso\Test Computers.
Ones the pilot is complete, you need to enable DirectAccess for all the client computers in the
domain.
What should you do?

A. From Windows PowerShell, run the Ser-DAServer cmdlet.


B. From Remote Access Management Console, run the remote access Server Setup wizard.
C. From Group Policy Management, modify the security filtering of an object named Direct Access
Server Setting Group Policy
D. From Group Policy Management, modify the security filtering of an object named Direct Access
Client Setting Group Policy.

Answer: D

QUESTION 438
Your Network contains oneActive Directory domain named contoso.com.
You pilot DirectAccess on the network.
During the pilot deployment, you enable DirectAccess only for a group Contoso\Test Computers.
Ones the pilot is complete, you need to enable DirectAccess for all the client computers in the
domain.
What should you do?

A. From Windows PowerShell, run the Ser-DAClient cmdlet.


B. From Windows PowerShell, run the Ser-DirectAccess cmdlet.
C. From Active Directory Users and Computers, modify the membership of the Windows
Authorization Access Group.
D. From Group Policy Management, modify the security filtering of an object named Direct Access
Client Setting Group Policy.

Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/jj574180.aspx
http://technet.microsoft.com/en-us/library/hh918432(v=wps.630).aspx

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 399
http://www.braindump2go.com
QUESTION 439
Your network contains an Active Directory domain named contoso.com.
All user accounts reside in an organizational unit (OU) named OU1.
All of the users in the marketing department are members of a group named Marketing.
All of the users in the human resources department are members of a group named HR.
You create a Group Policy object (GPO) named GPO1.
You link GPO1 to OU1.
You configure the Group Policy preferences of GPO1 to add two shortcuts named Link1 and
Link2 to the desktop of each user.
You need to ensure that Link1 only appears on the desktop of client computers that have more
than 80 GB of free disk space and Link2 only appears on the desktop of client computers that
have less than 80 GB of free disk space.
What should you configure?

A. Group Policy Inheritance


B. WMI Filtering
C. Security Filtering
D. Item-level targeting

Answer: B

QUESTION 440
Drag and Drop Question
You have a group Managed Service Account named Account01. Only tree servers named
Server01, Server02 and Server03 allowed to use the Account01 service account.
You plan to decommission Server01.
You need to prevent Server01 from using the Account01 service account. The solution must be
ensure that Server02 and Server03 continue to use the Account01 service account.
What command should you run?

Drop Down
Remove-ADServiceAccount
Reset-ADServiceAccount
Set- ADServiceAccount
Account01>>

-DNSHomeName
-PrincipalsAllowedToRetrieveManagedPassword
-SAMAccountName
-Server
>>>

Server01
Server01$
Server02, Server 03
Server02$, Server03$

Answer: Set- ADServiceAccount-PrincipalsAllowedToRetrieveManagedPassword Server02$,


Server03$

QUESTION 441

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 400
http://www.braindump2go.com
Your Network contains an Active Directory domain named contoso.com.
All domain controllers run Windows Server 2012 R2.
A central store is configured on the domain controller named DC1.
You have a custom administrative template file name App1.admx. App1.admx contains
application setting for an application App1.
You copy App1.admx to the central store.
You create a Group Policy object (GPO) name App1_Setting.
When you edit App1_Settings, you receive the warning massage show in following...

>>Exhibit>>

An appropriate recource file could not be found for file


\\contoso.com\SysVol\contoso.com\PoliciesDefinations\App1.admx (error =2):
The system cannot find the file specified.
You need to ensure that you can edit the settings for App1_Settings GPO.
What should you do?

A. Copy an ADML file to the central store.


B. Move the ADMX file to the local PolicyDefinations Folder.
C. Modify the permission of the ADMX File.
D. Add an Administrative Template to the App1_Settings GPO.

Answer: A

QUESTION 442
Your network contains an Active Directory domain named contoso.com.
Domain controllers run either Windows Server 2008, Windows Server 2008 R2, or Windows
Server 2012 R2.
You have a Password Settings object (PSOs) named PSO1.
You need to view the settings of PSO1.
Which tool should you use?

A. Group Policy Management


B. Get-ADFineGrainedPasswordPolicy
C. Get-ADDefaultDomainPasswordPolicy
D. Server Manager

Answer: B
Explanation:
The Get-ADFineGrainedPasswordPolicy cmdlet gets a fine grained password policy or performs
a search to retrieve multiple fine grained password policies.
Note:
* In Windows Server 2008 (and later), you can use fine-grained password policies to specify
multiple password policies and apply different password restrictions and account lockout policies
to different sets of users within a single domain. For example, to increase the security of
privileged accounts, you can apply stricter settings to the privileged accounts and then apply less
strict settings to the accounts of other users. Or in some cases, you may want to apply a special
password policy for accounts whose passwords are synchronized with other data sources.

Get Latest & Actual 70-411 Exam's Question and Answers from Braindump2go. 401
http://www.braindump2go.com

You might also like