Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. Your network contains two Active Directory forests named contoso.com and adatum.com. The contoso.com forest contains a server named Server1.contoso.com. The adatum.com forest contains a server named server2. adatum.com. Both servers have the Network Policy Server role service installed.
The network contains a server named Server3. Server3 is located in the perimeter network and has the Network Policy Server role service installed.
You plan to configure Server3 as an authentication provider for several VPN servers.
You need to ensure that RADIUS requests received by Server3 for a specific VPN server are always forwarded to Server1.contoso.com.
Which two should you configure on Server3? (Each correct answer presents part of the solution. Choose two.)
A. Remediation server groups
B. Remote RADIUS server groups
C. Connection request policies
D. Network policies
E. Connection authorization policies
Answer: B,C
Explanation:
To configure NPS as a RADIUS proxy, you must create a connection request policy that contains all of the information required for NPS to evaluate which messages to forward and where to send the messages.
When you configure Network Policy Server (NPS) as a Remote Authentication Dial-In User Service (RADIUS) proxy, you use NPS to forward connection requests to RADIUS servers that are capable of processing the connection requests because they can perform authentication and authorization in the domain where the user or computer account is located. For example, if you want to forward connection requests to one or more RADIUS servers in untrusted domains, you can configure NPS as a RADIUS proxy to forward the requests to the remote RADIUS servers in the untrusted domain. To configure NPS as a RADIUS proxy, you must create a connection request policy that contains all of the information required for NPS to evaluate which messages to forward and where to send the messages.
When you configure a remote RADIUS server group in NPS and you configure a connection request policy with the group, you are designating the location where NPS is to forward connection requests.
References: http: //technet. microsoft. com/en-us/library/cc754518. aspx
http: //technet. microsoft. com/en-us/library/cc754518. aspx
http: //technet. microsoft. com/en-us/library/cc754518. aspx
Q2. Your network contains an Active Directory forest named contoso.com.
The domain contains three servers. The servers are configured as shown in the following table.
You need to identify which server role must be deployed to the network to support the planned implementation.
Which role should you identify?
A. Network Policy and Access Services
B. Volume Activation Services
C. Windows Deployment Services
D. Active Directory Rights Management Services
Answer: C
Explanation:
Windows Deployment Services (WDS) is a server role that enables you to remotely deploy Windows operating systems. You can use it to set up new computers by using a network-based installation. This means that you do not have to install each operating system directly from a CD, USB drive or DVD. To use Windows Deployment Services, you should have a working knowledge of common desktop deployment technologies and networking components, including Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), and Active Directory Domain Services (AD DS). It is also helpful to understand the Preboot execution Environment (also known as Pre-Execution Environment).
Q3. You have a DNS server named Server1.
Server1 has a primary zone named contoso.com.
Zone Aging/Scavenging is configured for the contoso.com zone.
One month ago, an administrator removed a server named Server2 from the network.
You discover that a static resource record for Server2 is present in contoso.com. Resource records for decommissioned client computers are removed automatically from contoso.com.
You need to ensure that the static resource records for all of the servers are removed automatically from contoso.com.
What should you modify?
A. The Expires after value of contoso.com
B. The Record time stamp value of the static resource records
C. The time-to-live (TTL) value of the static resource records
D. The Security settings of the static resource records
Answer: B
Explanation:
Reset and permit them to use a current (non-zero) time stamp value. This enables these records to become aged and scavenged.
You can use this procedure to change how a specific resource record is scavenged.
A stale record is a record where both the No-Refresh Interval and Refresh Interval have passed without the time stamp updating.
DNS->View->Advanced
Depending on the how the resource record was originally added to the zone, do one of the following: If the record was added dynamically using dynamic update, clear the Delete this record when it becomes stale check box to prevent its aging or potential removal during the scavenging process. If dynamic updates to this record continue to occur, the Domain Name System (DNS) server will always reset this check box so that the dynamically updated record can be deleted.
If you added the record statically, select the Delete this record when it becomes stale check box to permit its aging or potential removal during the scavenging process.
References: http: //technet. microsoft. com/en-us/library/cc759204%28v=ws. 10%29. aspx
http: //technet. microsoft. com/en-us/library/cc759204%28v=ws. 10%29. aspx
Typically, stale DNS records occur when a computer is permanently removed from the network. Mobile users who abnormally disconnect from the network can also cause stale DNS records. To help manage stale records, Windows adds a time stamp to dynamically added resource records in primary zones where aging and scavenging are enabled. Manually added records are time stamped with a value of 0, and they are automatically excluded from the aging and scavenging process.
To enable aging and scavenging, you must do the following:
Resource records must be either dynamically added to zones or manually modified to be used in aging and scavenging operations.
Scavenging and aging must be enabled both at the DNS server and on the zone.
Scavenging is disabled by default.
DNS scavenging depends on the following two settings:
No-refresh interval: The time between the most recent refresh of a record time stamp and the moment when the time stamp can be refreshed again. When scavenging is enabled, this is set to 7 days by default.
Refresh interval: The time between the earliest moment when a record time stamp can be refreshed and the earliest moment when the record can be scavenged. The refresh interval must be longer than the maximum record refresh period. When scavenging is enabled, this is set to 7 days by default.
A DNS record becomes eligible for scavenging after both the no-refresh and refresh intervals have elapsed. If the default values are used, this is a total of 14 days.
References: http: //technet. microsoft. com/en-us/library/cc759204%28v=ws. 10%29. aspx
http: //technet. microsoft. com/en-us/library/cc759204%28v=ws. 10%29. aspx
http: //technet. microsoft. com/en-us/library/cc771570. aspx
http: //technet. microsoft. com/en-us/library/cc771677. aspx
http: //technet. microsoft. com/en-us/library/cc758321(v=ws. 10). aspx
Q4. Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2.
You create a central store for Group Policy.
You receive a custom administrative template named Template1.admx.
You need to ensure that the settings in Template1.admx appear in all new Group Policy objects (GPOs).
What should you do?
A. From the Default Domain Controllers Policy, add Template1.admx to the Administrative Templates.
B. From the Default Domain Policy, add Template1.admx to the Administrative Templates.
C. Copy Template1.admx to \\Contoso.com\SYSVOL\Contoso.com\Policies\PolicyDefinitions\.
D. Copy Template1.admx to \\Contoso.com\NETLOGON.
Answer: C
Explanation:
Unlike ADM files, ADMX files are not stored in individual GPOs. For domain-based enterprises, administrators can create a central store location of ADMX files that is accessible by anyone with permission to create or edit GPOs.
Q5. Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. The domain contains 500 client computers that run Windows 8 Enterprise.
You implement a Group Policy central store.
You have an application named App1. App1 requires that a custom registry setting be deployed to all of the computers.
You need to deploy the custom registry setting. The solution must minimize administrator effort.
What should you configure in a Group Policy object (GPO)?
A. The Software Installation settings
B. The Administrative Templates
C. An application control policy
D. The Group Policy preferences
Answer: D
Explanation:
. Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.
. In the console tree under Computer Configuration or User Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
. Right-click the Registry node, point to New, and select Registry Item.
Group Policy preferences provide the means to simplify deployment and standardize configurations. They add to Group Policy a centralized system for deploying preferences (that is, settings that users can change later).
You can also use Group Policy preferences to configure applications that are not Group Policy-aware. By using Group Policy preferences, you can change or delete almost any registry setting, file or folder, shortcut, and more. You are not limited by the contents of Administrative Template files. The Group Policy Management Editor (GPME) includes Group Policy preferences.
References: http: //technet.microsoft.com/en-us/library/gg699429.aspx http: //www. unidesk. com/blog/gpos-set-custom-registry-entries-virtual-desktops-disabling-machine-password
Q6. HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that has the Network Policy Server server role installed. The domain contains a server named Server2 that is configured for RADIUS accounting.
Server1 is configured as a VPN server and is configured to forward authentication requests to Server2.
You need to ensure that only Server2 contains event information about authentication requests from connections to Server1.
Which two nodes should you configure from the Network Policy Server console?
To answer, select the appropriate two nodes in the answer area.
Answer:
Q7. HOTSPOT
Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. The forest contains two Active Directory sites named Site1 and Site2.
You plan to deploy a read-only domain controller (RODC) named DC10 to Site2. You pre-create the DC10 domain controller account by using Active Directory Users and Computers.
You need to identify which domain controller will be used for initial replication during the promotion of the RODC.
Which tab should you use to identify the domain controller?
To answer, select the appropriate tab in the answer area.
Answer:
Q8. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2.
You enable and configure Routing and Remote Access (RRAS) on Server1.
You create a user account named User1.
You need to ensure that User1 can establish VPN connections to Server1.
What should you do?
A. Create a network policy.
B. Create a connection request policy.
C. Add a RADIUS client.
D. Modify the members of the Remote Management Users group.
Answer: A
Explanation:
Network policies are sets of conditions, constraints, and settings that allow you to designate who is authorized to connect to the network and the circumstances under which they can or cannot connect.
Network policies can be viewed as rules. Each rule has a set of conditions and settings.
Configure your VPN server to use Network Access Protection (NAP) to enforce health requirement policies.
References: http: //technet. microsoft. com/en-us/library/hh831683. aspx
http: //technet. microsoft. com/en-us/library/cc754107. aspx
http: //technet. microsoft. com/en-us/library/dd314165%28v=ws. 10%29. aspx
http: //technet. microsoft. com/en-us/windowsserver/dd448603. aspx
http: //technet. microsoft. com/en-us/library/dd314165(v=ws. 10). aspx
http: //technet. microsoft. com/en-us/library/dd469733. aspx
http: //technet. microsoft. com/en-us/library/dd469660. aspx
http: //technet. microsoft. com/en-us/library/cc753603. aspx
http: //technet. microsoft. com/en-us/library/cc754033. aspx
http: //technet. microsoft. com/en-us/windowsserver/dd448603. aspx
Q9. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the File Server Resource Manager role service installed.
You configure a quota threshold as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that a user named User1 receives an email notification when the threshold is exceeded.
What should you do?
A. Create a performance counter alert.
B. Create a classification rule.
C. Modify the members of the Performance Log Users group.
D. Configure the File Server Resource Manager Options.
Answer: D
Explanation:
When you create quotas and file screens, you have the option of sending e-mail notifications to users when their quota limit is approaching or after they have attempted to save files that have been blocked. If you want to routinely notify certain administrators of quota and file screening events, you can configure one or more default recipients.
To send these notifications, you must specify the SMTP server to be used for forwarding the e-mail messages.
To configure e-mail options
In the console tree, right-click File Server Resource Manager, and then click Configure options. The File Server Resource Manager Options dialog box opens.
On the E-mail Notifications tab, under SMTP server name or IP address, type the host
name or the IP address of the SMTP server that will forward e-mail notifications. If you want to routinely notify certain administrators of quota or file screening events, under Default administrator recipients, type each e-mail address.
Use the format account@domain. Use semicolons to separate multiple accounts. To test your settings, click Send Test E-mail.
Q10. Your network contains a single Active Directory domain named contoso.com. The domain contains a member server named Server1 that runs Windows Server 2012 R2.
Server1 has the Windows Server updates Services server role installed and is configured to download updates from the Microsoft Update servers.
You need to ensure that Server1 downloads express installation files from the Microsoft Update servers.
What should you do from the Update Services console?
A. From the Update Files and Languages options, configure the Update Files settings.
B. From the Automatic Approvals options, configure the Update Rules settings.
C. From the Products and Classifications options, configure the Products settings.
D. From the Products and Classifications options, configure the Classifications settings.
Answer: A
Explanation:
To specify whether express installation files are downloaded during synchronization
In the left pane of the WSUS Administration console, click Options.
In Update Files and Languages, click the Update Files tab.
If you want to download express installation files, select the Download express installation files check box. If you do not want to download express installation files, clear the check box.
Reference: http: //technet. microsoft. com/en-us/library/cc708431. aspx
http: //technet. microsoft. com/en-us/library/cc708431. aspx
Q11. Your company has a main office and two branch offices. The main office is located in Seattle. The two branch offices are located in Montreal and Miami. Each office is configured as an Active Directory site.
The network contains an Active Directory domain named contoso.com. Network traffic is not routed between the Montreal office and the Miami office.
You implement a Distributed File System (DFS) namespace named \\contoso.com\public. The namespace contains a folder named Folder1. Folder1 has a folder target in each office.
You need to configure DFS to ensure that users in the branch offices only receive referrals to the target in their respective office or to the target in the main office.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Set the Ordering method of \\contoso.com\public to Random order.
B. Set the Advanced properties of the folder target in the Seattle office to Last among all targets.
C. Set the Advanced properties of the folder target in the Seattle office to First among targets of equal cost.
D. Set the Ordering method of \\contoso.com\public to Exclude targets outside of the client's site.
E. Set the Advanced properties of the folder target in the Seattle office to Last among targets of equal cost.
F. Set the Ordering method of \\contoso.com\public to Lowest cost.
Answer: C,D
Explanation:
Exclude targets outside of the client's site In this method, the referral contains only the targets that are in the same site as the client. These same-site targets are listed in random order. If no same-site targets exist, the client does not receive a referral and cannot access that portion of the namespace. Note: Targets that have target priority set to "First among all targets" or "Last among all targets" are still listed in the referral, even if the ordering method is set to Exclude targets outside of the client's site. Note 2: Set the Ordering Method for Targets in Referrals A referral is an ordered list of targets that a client computer receives from a domain controller or namespace server when the user accesses a namespace root or folder with targets. After the client receives the referral, the client attempts to access the first target in the list. If the target is not available, the client attempts to access the next target.
Q12. You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the Windows Server Update Services server role installed.
You need to configure Windows Server Update Services (WSUS) to support Secure Sockets Layer (SSL).
Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)
A. From Internet Information Services (IIS) Manager, modify the connection strings of the WSUS website.
B. Install a server certificate.
C. Run the wsusutil.exe command.
D. Run the iisreset.exe command.
E. From Internet Information Services (IIS) Manager, modify the bindings of the WSUS website.
Answer: B,C,E
Explanation:
Certificate needs to be installed to IIS, Bindings modifies and wsusutil run.
1. First we need to request a certificate for the WSUS web site, so open IIS, click the server
name, then open Server Certificates.
On the Actions pane click Create Domain Certificate.
2. To add the signing certificate to the WSUS Web site in IIS 7.0
On the WSUS server, open Internet Information Services (IIS) Manager.
Expand Sites, right-click the WSUS Web site, and then click Edit Bindings.
In the Site Binding dialog box, select the https binding, and click Edit to open the Edit Site
Binding dialog box.
Select the appropriate Web server certificate in the SSL certificate box, and then click OK.
Click Close to exit the Site Bindings dialog box, and then click OK to close Internet
Information Services (IIS) Manager.
3. WSUSUtil.exe configuressl<FQDN of the software update point site system> (the name
in your certificate)
WSUSUtil.exe configuressl<Intranet FQDN of the software update point site system>.
4. The next step is to point your clients to the correct url, by modifying the existing GPO or
creating a new one. Open the policy Specify intranet Microsoft update service location and
type the new url in the form https: //YourWSUSserver.
The gpupdate /force command will just download all the GPO’s and re-apply them to the client, it won’t force the client to check for updates. For that you need to use wuauclt /resetautorization /detectnow followed by wuauclt /reportnow
References:
http: //technet. microsoft. com/en-us/library/bb680861. aspx
http: //technet. microsoft. com/en-us/library/bb633246. aspx
http: //www. vkernel. ro/blog/configure-wsus-to-use-ssl
Q13. HOTSPOT
Your network contains an Active Directory domain named contoso.com. All client computers are configured as DHCP clients.
You link a Group Policy object (GPO) named GPO1 to an organizational unit (OU) that contains all of the client computer accounts.
You need to ensure that Network Access Protection (NAP) compliance is evaluated on all of the client computers.
Which two settings should you configure in GPO1?
To answer, select the appropriate two settings in the answer area.
Answer:
Q14. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the Network Policy Server role service installed.
You need to enable trace logging for Network Policy Server (NPS) on Server1.
Which tool should you use?
A. The tracert.exe command
B. The Network Policy Server console
C. The Server Manager console
D. The netsh.exe command
Answer: D
Explanation:
NPS trace logging files
You can use log files on servers running Network Policy Server (NPS) and NAP client computers to help troubleshoot NAP problems. Log files can provide the detailed information required for troubleshooting complex problems.
You can capture detailed information in log files on servers running NPS by enabling remote access tracing. The Remote Access service does not need to be installed or running to use remote access tracing. When you enable tracing on a server running NPS, several log files are created in %windir%\tracing.
The following log files contain helpful information about NAP:
IASNAP. LOG: Contains detailed information about NAP processes, NPS authentication, and NPS authorization.
IASSAM. LOG: Contains detailed information about user authentication and authorization.
Membership in the local Administrators group, or equivalent, is the minimum required to enable tracing. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http: //go. microsoft. com/fwlink/?LinkId=83477).
To create tracing log files on a server running NPS
Open a command line as an administrator.
Type netshras set tr * en.
Reproduce the scenario that you are troubleshooting.
Type netshras set tr * dis.
Close the command prompt window.
Reference: http: //technet. microsoft. com/en-us/library/dd348461%28v=ws. 10%29. aspx
Q15. Your network contains an Active Directory domain named contoso.com. The domain contains a member server named Server1. Server1 runs Windows Server 2012 R2 and has the Hyper-V server role installed.
Server1 hosts 10 virtual machines. A virtual machine named VM1 runs Windows Server 2012 R2 and hosts a processor-intensive application named App1.
Users report that App1 responds more slowly than expected.
You need to monitor the processor usage on VM1 to identify whether changes must be made to the hardware settings of VM1.
Which performance object should you monitor on Server1?
A. Processor
B. Hyper-V Hypervisor Virtual Processor
C. Hyper-V Hypervisor Logical Processor
D. Hyper-V Hypervisor Root Virtual Processor
E. Process
Answer: C
Explanation:
In the simplest way of thinking the virtual processor time is cycled across the available logical processors in a round-robin type of fashion. Thus all the processing power gets used over time, and technically nothing ever sits idle. To accurately measure the processor utilization of a guest operating system, use the “\Hyper-V Hypervisor Logical Processor (Total)\% Total Run Time” performance monitor counter on the Hyper-V host operating system.