Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. - (Topic 3)
Your network contains an Active Directory domain named adatum.com. The domain contains several thousand member servers that run Windows Server 2012 R2. All of the computer accounts for the member servers are in an organizational unit (OU) named ServersAccounts. Servers are restarted only occasionally.
You need to identify which servers were restarted during the last two days.
What should you do?
A. Run dsquery computer and specify the -stalepwd parameter
B. Run dsquery server and specify the -o parameter.
C. Run Get-ADComputer and specify the lastlogon property.
D. Run Get-ADComputer and specify the SearchScope parameter
Answer: C
Q2. - (Topic 3)
Your network contains an Active Directory domain named contoso.com.
You have a Group Policy object (GPO) named GPO1 that contains several user settings.
GPO1 is linked to an organizational unit (OU) named OU1.
The help desk reports that GPO1 applies to only some of the users in OU1.
You open Group Policy Management as shown in the exhibit. (Click the Exhibit button.)
You need to configure GPO1 to apply to all of the users in OU1.
What should you do?
A. Modify the Security settings of GPO1.
B. Disable Block Inheritance on OU1.
C. Modify the GPO status of GPO1.
D. Enforce GPO1.
Answer: A
Explanation:
Inheritance is blocked, but that would only affect policies applied ABOVE the given OU, not
the one applied directly to it (as is the case with GPO1). Also Enforcing a policy is only going to cause it to be applied even when inheritance is blocked (which, as mentioned, does not make a difference on policies which are directly linked to the OU as a child). That means that there must be something in the security settings (such as a Security Group which does not have the “read” or “Apply group policy” permission) preventing ALL of the users in OU1 from having the policy applied. (GPO status is the status of its replication within the forest, so it is not relevant here.)
Q3. - (Topic 1)
Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2 that run Windows Server 2012 R2.
You create a security template named Template1 by using the security template snap-in.
You need to apply Template1 to Server2.
Which tool should you use?
A. Security Templates
B. Computer Management
C. Security Configuration and Analysis
D. System Configuration
Answer: C
Explanation:
A security policy is a combination of security settings that affect the security on a computer. You can use your local security policy to edit account policies and local policies on your local computer.
A. Template was already created – Provide standard security option to use in security policies
B. Needs to be applied at the GP level
C. Security templates are inactive until imported into a Group Policy object or the SecurityConfiguration and Analysis
D. Tool to ID windows problems
Q4. - (Topic 2)
Your network contains an Active Directory domain named contoso.com. The domain
contains a server named Server1.Server1 runs Windows Server 2012 R2.
You create a group Managed Service Account named gservice1.
You need to configure a service named Service1 to run as the gservice1 account.
How should you configure Service1?
A. From the Services console, configure the General settings.
B. From Windows PowerShell, run Set-Service and specify the -StartupType parameter.
C. From a command prompt, run sc.exe and specify the config parameter.
D. From a command prompt, run sc.exe and specify the privs parameter.
Answer: C
Explanation:
Executing the ss.exe command with the config parameter will modify service configuration.
Topic 3, Volume C
Q5. - (Topic 3)
Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2008 R2. One of the domain controllers is named DC1.
The network contains a member server named Server1 that runs Windows Server 2012 R2.
You need to promote Server1 to a domain controller by using install from media (IFM).
What should you do first?
A. Create a system state backup of DC1.
B. Create IFM media on DC1.
C. Upgrade DC1 to Windows Server 2012 R2.
D. Run the Active Directory Domain Services Configuration Wizard on Server1.
E. Run the Active Directory Domain Services Installation Wizard on DC1.
Answer: C
Explanation:
A. Backs up system state data to be restored
C. Only valid option. You could install ADDS role on Server 1 and run ADDS configuration wizard and add DC to existing domain
D. Need to add ADDS role first
E. Wrong server Installation from media does not work across different operating system versions. In other words, you must use a Windows Server 2012 R2 domain controller to generate installation media to use for another Windows Server 2012 R2 domain controller installation. We can use the Install from media (IFM) option to install an Additional Domain Controller in an existing domain is the best option such as a branch office scenario where network is slow, unreliable and costly. IFM will minimize replication traffic during the installation because it uses restored backup files to populate the AD DS database. This will significantly reduce the amount of traffic copied over the WAN link. Things to remember: If you are deploying your first Domain Controller in the domain, you cannot use IFM. The OS will need to match the IFM media. (If you create a 2008 R2 IFM, promote a 2008 R2 DC) If you are creating a DC that will be a Global Catalog Server, create your IFM on a Global Catalog Server.
If you are creating a DC that will be a DNS Server, create your IFM on a DNS Server. If you want to copy the SYSVOL, the DC on which you generate the installation media and the new DC must be at least running Windows Server 2008 with Service Pack 2 or Windows Server 2008 R2. Membership of the Domain Admins group is the minimum required to complete IFM.
Q6. - (Topic 3)
You work as an administrator at Contoso.com. The Contoso.com network consists of a single domain named Contoso.com. All servers in the Contoso.com domain have Windows Server 2012 R2 installed.
You have logged on to a server, named ENSUREPASS-SR07, and would like to obtain the IP configurations of a server, named ENSUREPASS-SR13.
Which of the following actions should you take?
A. You should consider making use of the Winrs.exe command.
B. You should consider making use of the Winsat.exe command.
C. You should consider making use of the Winpop.exe command.
D. You should consider making use of the Dsrm.exe command.
Answer: A
Q7. - (Topic 2)
Your network contains an Active Directory domain named contoso.com.
All of the AppLocker policy settings for the member servers are configured in a Group Policy object (GPO) named GPO1.
A member server named Server1 runs Windows Server 2012 R2.
On Server1, you test a new set of AppLocker policy settings by using a local computer policy.
You need to merge the local AppLocker policy settings from Server1 into the AppLocker policy settings of GPO1.
What should you do?
A. From Local Group Policy Editor on Server1, export an .inf file. Import the .inf file by using Group Policy Management Editor.
B. From Server1, run the Set-ApplockerPolicy cmdlet.
C. From Local Group Policy Editor on Server1, export an .xml file. Import the .xml file by using Group Policy Management Editor.
D. From Server1, run the New-ApplockerPolicy cmdlet.
Answer: B
Explanation:
The Set-AppLockerPolicy cmdlet sets the specified Group Policy Object (GPO) to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local GPO is the default. When the Merge parameter is used, rules in the specified AppLocker policy will be merged with the AppLocker rules in the target GPO specified in the LDAP path. The merging of policies will remove rules with duplicate rule IDs, and the enforcement setting specified by
the AppLocker policy in the target GPO will be preserved. If the Merge parameter is not
specified, then the new policy will overwrite the existing policy.
References:
http://technet.microsoft.com/en-us/library/ee791816(v=ws.10).aspx
Exam Ref 70-410: Installing and configuring Windows Server 2012 R2, Chapter 10:
Implementing Group Policy, Lesson1: Planning, Implementing and managing Group Policy,
p. 479
Q8. HOTSPOT - (Topic 2)
Your network contains an Active Directory domain named corp.contoso.com. The domain contains a domain controller named DC1.
When you run ping dc1.corp.contoso.com, you receive the result as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that DC1 can respond to the Ping command.
Which rule should you modify?
To answer, select the appropriate rule in the answer area.
Answer:
Q9. - (Topic 3)
Your network contains an Active Directory domain named adatum.com. The domain contains three domain controllers.
The domain controllers are configured as shown in the following table.
DC3 loses network connectivity due to a hardware failure.
You plan to remove DC3 from the domain.
You log on to DC3.
You need to identify which service location (SRV) records are registered by DC3.
What should you do?
A. Open the %windir%\system32\config\netlogon.dns file.
B. Run dcdiag /test:dns
C. Open the %windir%\system32\dns\backup\adatum.com.dns file.
D. Run ipconfig /displaydns.
Answer: A
Explanation:
A. Netlogon service creates a log file that contains all the locator resource records and
places the logfile in the following location:
B. Analyzes the state of domain controllers in a forest or enterprise and reports any
problems to help introubleshooting.
C. dns backup file
D. used to display current resolver cache content You can verify SRV locator resource
records by viewing netlogon.dns, located in the %systemroot%\System32\Config folder.
The SRV record is a Domain Name System (DNS) resource record that is used to identify
computers that host specific services.
SRV resource records are used to locate domain controllers for Active Directory.
You can use Notepad, to view this file.
The first record in the file is the domain controller’s Lightweight Directory Access Protocol
(LDAP) SRV record.
This record should appear similar to the following: _ldap._tcp.Domain_Name
Q10. - (Topic 2)
You have a print server named Print1 that runs Windows Server 2012 R2. Print1 has 10 shared printers. You need to change the location of the spool folder.
What should you modify?
A. The properties of the Print Spooler service
B. The Print Server Properties
C. The user environment variables
D. The PrintQueue.inf file
Answer: A
Q11. - (Topic 2)
You have two servers named Server1 and Server2 that run Windows Server 2012 R2. Server1 has the DHCP Server server role installed.
You need to create an IPv6 reservation for Server2.
Which two values should you obtain from Server2? (Each correct answer presents part of the solution. Choose two.)
A. the hardware ID
B. the DHCPv6 unique identifier
C. the DHCPv6 identity association ID
D. the SMSBIOS GUID
E. the MAC address
Answer: B,C
Explanation:
The Add-DhcpServerv6Reservation cmdlet reserves a specified IPv6 address for the client identified by the specified Dynamic Host Configuration Protocol (DHCP) v6 unique identifier (ID) (DUID) and identity association ID (IAID).
Q12. - (Topic 1)
Your network contains two servers named Server1 and Server2 that run Windows Server 2012 R2. Server1 and Server2 are part of a workgroup.
On Server1 and Server2, you create a local user account named Admin1.You add the account to the local Administrators group. On both servers, Admin1 has the same password.
You log on to Server1 as Admin1. You open Computer Management and you.connect to Server2.
When you attempt to create a scheduled task, view the event logs, and manage the shared folders, you receive Access Denied messages.
You need to ensure that you can administer Server2 remotely from Server1 by using Computer Management.
What should you configure on Server2?
A. From Server Manager, modify the Remote Management setting.
B. From Local Users and Groups, modify the membership of the Remote Management Users group.
C. From Windows Firewall, modify the Windows Management Instrumentation (WMI) firewall rule.
D. From Registry Editor, configure the LocalAccountTokenFilterPolicy registry value.
Answer: D
Explanation:
The LocalAccountTokenFilterPolicy setting affects how administrator credentials are applied to remotely administer the computer. : http://support.microsoft.com/kb/942817
Q13. - (Topic 3)
Your network contains an Active Directory domain named contoso.com. The domain contains 500 servers that run Windows Server 2012 R2.
You have a written security policy that states the following:
Only required ports must be open on the servers.
All of the servers must have Windows Firewall enabled.
Client computers used by administrators must be allowed to access all of the ports
on all of the servers.
Client computers used by the administrators must be authenticated before the
client computers can access the servers.
You have a client computer named Computer1 that runs Windows 8.
... .
You need to ensure that you can use Computer1 to access all of the ports on all of the servers successfully. The solution must adhere to the security policy.
Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)
A. On Computer1, create a connection security rule.
B. On all of the servers, create an outbound rule and select the Allow the connection if it is secure option.
C. On all of the servers, create an inbound rule and select the Allow the connection if it is secure option.
D. On Computer1, create an inbound rule and select the Allow the connection if it is secure option.
E. On Computer1, create an outbound rule and select the Allow the connection if it is secure option.
F. On all of the servers, create a connection security rule.
Answer: A,C,F
Explanation:
Unlike firewall rules, which operate unilaterally, connection security rules require that both
communicating computers have a policy with connection security rules or another
compatible IPsec policy.
Traffic that matches a firewall rule that uses the Allow connection if it is secure setting
bypasses Windows Firewall. The rule can filter the traffic by IP address, port, or protocol.
This method is supported on Windows Vista or Windows Server 2008.
References:
http://technet.microsoft.com/en-us/library/cc772021.aspx
http://technet.microsoft.com/en-us/library/cc753463.aspx
Q14. - (Topic 3)
A company’s server deployment team needs to introduce many new Windows Server 2012 R2 domain controllers throughout the network into a single Windows Server 2008 R2 domain. The team has chosen to use Windows PowerShell.
Which Windows PowerShell module includes the command-line options for installing domain controllers?
A. AD DS Administration cmdlets
B. AD DS Deployment cmdlets
C. AD CS Deployment cmdlets
D. AD CS Administration cmdlets
Answer: B
Explanation:
First use the Import-Module ADDSDeployment command in PowerShell–it includes the cmdlets needed to add new domain controllers. Then run Install-ADDSDomainController along with the required arguments. Quick Tip: DCPromo.exe has been deprecated but can still be used along with an answer file, and ADPrep.exe runs automatically when needed (but can be run with elevated rights for more control).
Q15. - (Topic 3)
Your network contains an Active Directory domain named contoso.com. The domain contains two domain controllers named DC1 and DC2. You install Windows Server 2012 on a new computer named DC3. You need to manually configure DC3 as a domain controller. Which tool should you use?
A. Server Manager
B. winrm.exe
C. Active Directory Domains and Trusts
D. dcpromo.exe
Answer: A