Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the File Server Resource Manager role service installed.
Server1 has a folder named Folder1 that is used by the sales department.
You need to ensure that an email notification is sent to the sales manager when a File Screening Audit report is generated.
What should you configure on Server1?
A. a file group
B. a file screen
C. a file screen exception
D. a storage report task
Answer: D
Explanation:
From the Storage Reports Management node, you can generate reports that will help you understand file use on the storage server. You can use the storage reports to monitor disk usage patterns (by file type or user), identify duplicate files and dormant files, track quota usage, and audit file screening.
Before you run a File Screen Audit report, in the File Server Resource Manager Options dialog box, on the File Screen Audit tab, verify that the Record file screening activity in the auditing database check box is selected.
Reference: http: //technet. microsoft. com/en-us/library/cc755988. aspx
http: //technet. microsoft. com/en-us/library/cc730822. aspx
http: //technet. microsoft. com/en-us/library/cc770594. aspx
http: //technet. microsoft. com/en-us/library/cc771212. aspx
http: //technet. microsoft. com/en-us/library/cc732074. aspx
Q2. You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the File Server Resource Manager role service installed.
Each time a user receives an access-denied message after attempting to access a folder on Server1, an email notification is sent to a distribution list named DLL.
You create a folder named Folder1 on Server1, and then you configure custom NTFS permissions for Folder1.
You need to ensure that when a user receives an access-denied message while attempting to access Folder1, an email notification is sent to a distribution list named DL2. The solution must not prevent DL1 from receiving notifications about other access-denied messages.
What should you do?
A. From the File Server Resource Manager console, create a local classification property.
B. From Server Manager, run the New Share Wizard to create a share for Folder1 by selecting the SMB Share - Applications option.
C. From the File Server Resource Manager console, modify the Access-Denied Assistance settings.
D. From the File Server Resource Manager console, set a folder management property.
Answer: D
Q3. DRAG DROP
Your network contains an Active Directory domain named adatum.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 is configured as a Network Policy Server (NPS) server and as a DHCP server.
You need to log all DHCP clients that have windows Firewall disabled.
Which three actions should you perform in sequence? To answer, move the three appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Answer:
Q4. Your company deploys a new Active Directory forest named contoso.com. The first domain controller in the forest runs Windows Server 2012 R2. The forest contains a domain controller named DC10.
On DC10, the disk that contains the SYSVOL folder fails.
You replace the failed disk. You stop the Distributed File System (DFS) Replication service. You restore the SYSVOL folder.
You need to perform a non-authoritative synchronization of SYSVOL on DC10.
Which tool should you use before you start the DFS Replication service on DC10?
A. Dfsgui.msc
B. Dfsmgmt.msc
C. Adsiedit.msc
D. Ldp
Answer: C
Explanation:
How to perform a non-authoritative synchronization of DFSR-replicated SYSVOL (like "D2" for FRS)
. In the ADSIEDIT. MSC tool modify the following distinguished name (DN) value and attribute on each of the domain controllers that you want to make non-authoritative:
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain> msDFSR-Enabled=FALSE
. Force Active Directory replication throughout the domain.
. Run the following command from an elevated command prompt on the same servers that you set as non-authoritative:
DFSRDIAG POLLAD
. You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated.
. On the same DN from Step 1, set:
msDFSR-Enabled=TRUE
. Force Active Directory replication throughout the domain.
. Run the following command from an elevated command prompt on the same servers that you set as non-authoritative:
DFSRDIAG POLLAD
. You will see Event ID 4614 and 4604 in the DFSR event log indicating SYSVOL has been initialized. That domain controller has now done a “D2” of SYSVOL.
Note: Active Directory Service Interfaces Editor (ADSI Edit) is a Lightweight Directory Access Protocol (LDAP) editor that you can use to manage objects and attributes in Active Directory. ADSI Edit (adsiedit. msc) provides a view of every object and attribute in an Active Directory forest. You can use ADSI Edit to query, view, and edit attributes that are not exposed through other Active Directory Microsoft Management Console (MMC) snap-ins: Active Directory Users and Computers, Active Directory Sites and Services, Active Directory Domains and Trusts, and Active Directory Schema.
Q5. Your network contains an Active Directory domain named adatum.com. The domain contains a file server named Server1 that runs Windows Server 2012 R2.
All client computers run Windows 7.
You need to ensure that user settings are saved to \\Server1\Users\.
What should you do?
A. From the properties of each user account, configure the Home folder settings.
B. From a Group Policy object (GPO), configure the Folder Redirection settings.
C. From the properties of each user account, configure the User profile settings.
D. From a Group Policy object (GPO), configure the Drive Maps preference.
Answer: C
Explanation:
If a computer is running Windows 2000 Server or later on a network, users can store their profiles on the server. These profiles are called roaming user profiles.
Q6. Your network contains three Network Policy Server (NPS) servers named NPS1, NPS2, and NPS3.
NP51 is configured as a RADIUS proxy that forwards connection requests to a remote RADIUS server group named Group1.
You need to ensure that NPS2 receives connection requests. NPS3 must only receive connection requests if NPS2 is unavailable.
How should you configure Group1?
A. Change the Priority of NPS3 to 10.
B. Change the Weight of NPS2 to 10.
C. Change the Weight of NPS3 to 10.
D. Change the Priority of NPS2 to 10.
Answer: A
Explanation:
Priority. Priority specifies the order of importance of the RADIUS server to the NPS proxy server. Priority level must be assigned a value that is an integer, such as 1, 2, or 3. The lower the number, the higher priority the NPS proxy gives to the RADIUS server. For example, if the RADIUS server is assigned the highest priority of 1, the NPS proxy sends connection requests to the RADIUS server first; if servers with priority 1 are not available, NPS then sends connection requests to RADIUS servers with priority 2, and so on. You can assign the same priority to multiple RADIUS servers, and then use the Weight setting to load balance between them.
Q7. Your network contains an Active Directory domain named contoso.com. The domain contains six domain controllers. The domain controllers are configured as shown in the following table.
The network contains a server named Server1 that has the Hyper-v server role installed. DC6 is a virtual machine that is hosted on Server1.
You need to ensure that you can clone DC6.
Which FSMO role should you transfer to DC2?
A. Rid master
B. Domain naming master
C. PDC emulator
D. Infrastructure master
Answer: C
Explanation:
The clone domain controller uses the security context of the source domain controller (the domain controller whose copy it represents) to contact the Windows Server 2012 R2 Primary Domain Controller (PDC) emulator operations master role holder (also known as flexible single master operations, or FSMO). The PDC emulator must be running Windows
Server 2012 R2, but it does not have to be running on a hypervisor.
Reference:
http: //technet. microsoft. com/en-us/library/hh831734. aspx
Q8. Your network contains a Network Policy Server (NPS) server named Server1. The network contains a server named SQL1 that has Microsoft SQL Server 2008 R2 installed. All servers run Windows Server 2012 R2.
You configure NPS on Server1 to log accounting data to a database on SQL1.
You need to ensure that the accounting data is captured if SQL1 fails. The solution must minimize cost.
What should you do?
A. Implement Failover Clustering.
B. Implement database mirroring.
C. Run the Accounting Configuration Wizard.
D. Modify the SQL Server Logging properties.
Answer: C
Explanation:
In Windows Server 2008 R2, an accounting configuration wizard is added to the Accounting node in the NPS console. By using the Accounting Configuration wizard, you can configure the following four accounting settings:
. SQL logging only. By using this setting, you can configure a data link to a SQL Server that allows NPS to connect to and send accounting data to the SQL server. In addition, the wizard can configure the database on the SQL Server to ensure that the database is compatible with NPS SQL server logging.
. Text logging only. By using this setting, you can configure NPS to log accounting data to a text file.
. Parallel logging. By using this setting, you can configure the SQL Server data link and database. You can also configure text file logging so that NPS logs simultaneously to the text file and the SQL Server database.
. SQL logging with backup. By using this setting, you can configure the SQL Server data link and database. In addition, you can configure text file logging that NPS uses if SQL Server logging fails.
Q9. Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2.
The network contains several group Managed Service Accounts that are used by four member servers.
You need to ensure that if a group Managed Service Account resets a password of a domain user account, an audit entry is created.
You create a Group Policy object (GPO) named GPO1.
What should you do next?
A. In GPO1, configure the Advanced Audit Policy Configuration settings for Audit User Account Management. Link GPO1 to the Domain Controllers organizational unit (OU).
B. In GPO1, configure the Advanced Audit Policy Configuration settings for Audit User Account Management. Move the member servers to a new organizational unit (OU). Link GPO1 to the new OU.
C. In GPO1, configure the Advanced Audit Policy Configuration settings for Audit Sensitive Privilege Use. Link GPO1 to the Domain Controllers organizational unit (OU).
D. In GPO1, configure the Advanced Audit Policy Configuration settings for Audit Sensitive Privilege Use. Move the member servers to a new organizational unit (OU). Link GPO1 to the new OU.
Answer: A
Explanation:
Audit User Account Management This security policy setting determines whether the operating system generates audit events when the following user account management tasks are performed:
. A user account is created, changed, deleted, renamed, disabled, enabled, locked out, or unlocked.
A user account password is set or changed.
Security identifier (SID) history is added to a user account.
The Directory Services Restore Mode password is set.
Permissions on accounts that are members of administrators groups are changed.
Credential Manager credentials are backed up or restored.
This policy setting is essential for tracking events that involve provisioning and managing user accounts.
Q10. Your network contains an Active Directory domain named contoso.com. The domain
contains a domain controller named DC1 that runs Windows Server 2012 R2.
All client computers run Windows 8 Enterprise.
DC1 contains a Group Policy object (GPO) named GPO1.
You need to update the PATH variable on all of the client computers.
Which Group Policy preference should you configure?
A. Ini Files
B. Services
C. Data Sources
D. Environment
Answer: D
Explanation:
Environment Variable preference items allow you to create, update, replace, and delete user and system environment variables or semicolon-delimited segments of the PATH variable. Before you create an Environment Variable preference item, you should review the behavior of each type of action possible with this extension.
Q11. HOTSPOT
Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2.
You need to audit successful and failed attempts to read data from USB drives on the servers.
Which two objects should you configure? To answer, select the appropriate two objects in the answer area.
Answer:
Q12. Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. You plan to use fine-grained password policies to customize the password policy settings ofcontoso.com.
You need to identify to which Active Directory object types you can directly apply the fine-grained password policies.
Which two object types should you identify? (Each correct answer presents part of the solution. Choose two.)
A. Users
B. Global groups
C. computers
D. Universal groups
E. Domain local groups
Answer: A,B
Explanation:
First off, your domain functional level must be at Windows Server 2008. Second, Fine-grained password policies ONLY apply to user objects, and global security groups. Linking them to universal or domain local groups is ineffective. I know what you’re thinking, what about OU’s? Nope, Fine-grained password policy cannot be applied to an organizational unit (OU) directly. The third thing to keep in mind is, by default only members of the Domain Admins group can set fine-grained password policies. However, you can delegate this ability to other users if needed.
Fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of user objects) and global security groups.
You can apply Password Settings objects (PSOs) to users or global security groups:
References:
http: //technet. microsoft. com/en-us/library/cc731589%28v=ws. 10%29. aspx
http: //technet. microsoft. com/en-us/library/cc731589%28v=ws. 10%29. aspx
http: //technet. microsoft. com/en-us/library/cc770848%28v=ws. 10%29. aspx
http: //www. brandonlawson. com/active-directory/creating-fine-grained-password-policies/
Q13. Your network contains a Hyper-V host named Hyperv1. Hyperv1 runs Windows Server 2012 R2.
Hyperv1 hosts four virtual machines named VM1, VM2, VM3, and VM4. AH of the virtual machines run Windows Server 2008 R2.
You need to view the amount of memory resources and processor resources that VM4 currently uses.
Which tool should you use on Hyperv1?
A. Windows System Resource Manager (WSRM)
B. Task Manager
C. Hyper-V Manager
D. Resource Monitor
Answer: C
Explanation:
Hyper-V Performance Monitoring Tool Know which resource is consuming more CPU. Find out if CPUs are running at full capacity or if they are being underutilized. Metrics tracked include Total CPU utilization, Guest CPU utilization, Hypervisor CPU utilization, idle CPU utilization, etc.
WSRM is deprecated starting with Windows Server 2012
Q14. Your network contains an Active Directory domain named contoso.com. The domain contains a Web server named www.contoso.com. The Web server is available on the Internet.
You implement DirectAccess by using the default configuration.
You need to ensure that users never attempt to connect to www.contoso.com by using DirectAccess. The solution must not prevent the users from using DirectAccess to access other resources in contoso.com.
Which settings should you configure in a Group Policy object (GPO)?
A. DirectAccess Client Experience Settings
B. DNS Client
C. Name Resolution Policy
D. Network Connections
Answer: C
Explanation:
For DirectAccess, the NRPT must be configured with the namespaces of your intranet with a leading dot (for example, internal.contoso.com or . corp.contoso.com). For a DirectAccess client, any name request that matches one of these namespaces will be sent to the specified intranet Domain Name System (DNS) servers.
Include all intranet DNS namespaces that you want DirectAccess client computers to access.
There are no command line methods for configuring NRPT rules. You must use Group Policy settings. To configure the NRPT through Group Policy, use the Group Policy add-in at Computer Configuration \Policies\Windows Settings\Name Resolution Policy in the Group Policy object for DirectAccess clients. You can create a new NRPT rule and edit or delete existing rules. For more information, see Configure the NRPT with Group Policy.
Q15. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1. Server1 has the DHCP Server server role and the Network Policy Server role service installed.
Server1 contains three non-overlapping scopes named Scope1, Scope2, and Scope3. Server1 currently provides the same Network Access Protection (NAP) settings to the three scopes.
You modify the settings of Scope1 as shown in the exhibit. (Click the Exhibit button.)
You need to configure Server1 to provide unique NAP enforcement settings to the NAP non-compliant DHCP clients from Scope1.
What should you create?
A. A connection request policy that has the Service Type condition
B. A connection request policy that has the Identity Type condition
C. A network policy that has the Identity Type condition
D. A network policy that has the MS-Service Class condition
Answer: D
Explanation:
MS-Service Class
Restricts the policy to clients that have received an IP address from a DHCP scope that matches the specified DHCP profile name. This condition is used only when you are deploying NAP with the DHCP enforcement method. To use the MS-Service Class attribute, in Specify the profile name that identifies your DHCP scope, type the name of an existing DHCP profile.
Open the NPS console, double-click Policies, click Network Policies, and then double-click the policy you want to configure.
In policy Properties, click the Conditions tab, and then click Add. In Select condition, scroll to the Network Access Protection group of conditions.
If you want to configure the Identity Type condition, click Identity Type, and then click Add.
In Specify the method in which clients are identified in this policy, select the items appropriate for your deployment, and then click OK.
The Identity Type condition is used for the DHCP and Internet Protocol security (IPsec) enforcement methods to allow client health checks when NPS does not receive an Access-Request message that contains a value for the User-Name attribute; in this case, client health checks are performed, but authentication and authorization are not performed.
If you want to configure the MS-Service Class condition, click MS-Service Class, and then click Add. In Specify the profile name that identifies your DHCP scope, type the name of an existing DHCP profile, and then click Add.
The MS-Service Class condition restricts the policy to clients that have received an IP address from a DHCP scope that matches the specified DHCP profile name. This condition is used only when you are deploying NAP with the DHCP enforcement method.
References: http: //technet. microsoft. com/en-us/library/cc731560(v=ws. 10). aspx
http: //technet. microsoft. com/en-us/library/cc731220(v=ws. 10). aspx