Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. Your network contains one Active Directory forest named contoso.com. The forest contains two child domains and six domain controllers. The domain controllers are configured as shown in the following table.
You have a trust from contoso.com to another forest named fabrikam.com.
You plan to migrate users from contoso.com to fabrikam.com.
You need to ensure that the users who migrated to fabrikam.com can continue to access shared resources in contoso.com. The solution must not require administrators to modify permissions to shared resources.
What should you use?
A. Set-ADSite
B. Set-ADReplicationSite
C. Set-ADDomain
D. Set-ADReplicationSiteLink
E. Set-ADGroup
F. Set-ADForest
G. Netdom
Answer: G
Explanation: The Netdom move command moves a workstation or member server to a new domain. The act of moving a computer to a new domain creates an account for the computer on the domain, if it does not already exist.
Reference: Technet, Netdom move
https://technet.microsoft.com/en-us/library/cc788127.aspx
Q2. Your network contains two Web servers named Server1 and Server2. Both servers run Windows Server 2012 R2.
Server1 and Server2 are nodes in a Network Load Balancing (NLB) cluster. The NLB cluster contains an application named App1 that is accessed by using the URL http://app1.contoso.com.
You plan to perform maintenance on Server1.
You need to ensure that all new connections to App1 are directed to Server2. The solution must not disconnect the existing connections to Server1.
What should you run?
A. The Set-NlbCluster cmdlet
B. The Set-NlbClusterNode cmdlet
C. The Stop-NlbCluster cmdlet
D. The Stop-NlbClusterNode cmdlet
Answer: D
Explanation:
The Stop-NlbClusterNode cmdlet stops a node in an NLB cluster. When you use the stop
the nodes in the cluster, client connections that are already in progress are interrupted. To
avoid interrupting active connections, consider using the -drain parameter, which allows the
node to continue servicing active connections but disables all new traffic to that node.
-Drain <SwitchParameter>
Drains existing traffic before stopping the cluster node. If this parameter is omitted, existing
traffic will be dropped.
Reference: Stop-NlbClusterNode
Q3. Your network contains an Active Directory domain named adatum.com. You create a new
Group Policy object (GPO) named GPO1.
You need to verify that GPO1 was replicated to all of the domain controllers.
Which tool should you use?
A. Gpupdate
B. Gpresult
C. Group Policy Management
D. Active Directory Sites and Services
Answer: C
Explanation:
In Windows Server 2012, the Group Policy Management Console (GPMC) was enhanced to provide a report for the overall health state of the Group Policy infrastructure for a domain, or to scope the health view to a single GPO.
Reference: Check Group Policy Infrastructure Status
http://technet.microsoft.com/en-us/library/jj134176.aspx
Q4. Your network contains an Active Directory domain named contoso.com. The domain
contains a certification authority (CA).
You suspect that a certificate issued to a Web server is compromised.
You need to minimize the likelihood that users will trust the compromised certificate.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Stop the Certificate Propagation service.
B. Modify the validity period of the Web Server certificate template.
C. Run certutil and specify the -revoke parameter.
D. Run certutil and specify the -deny parameter.
E. Publish the certificate revocation list (CRL).
Answer: C,E
Explanation: First revoke the certificate, then publish the CRL.
Q5. HOTSPOT
Your network contains two servers named Server1 and Server2 that run Windows Server 2012 R2. Server1 and Server2 have the Hyper-V server role installed.
Server1 and Server2 have different processor models from the same manufacturer.
On Server1, you plan to create a virtual machine named VM1. Eventually, VM1 will be
exported to Server2.
You need to ensure that when you import VM1 to Server2, you can start VM1 from saved
snapshots.
What should you configure on VM1?
To answer, select the appropriate node in the answer area.
Answer:
Q6. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server3 that runs Windows Server 2012 R2 and has the DHCP Server server role installed.
DHCP is configured as shown in the exhibit. (Click the Exhibit button.)
Scope1, Scope2, and Scope3 are configured to assign the IP addresses of two DNS servers to DHCP clients. The remaining scopes are NOT configured to assign IP addresses of DNS servers to DHCP clients.
You need to ensure that only Scope1, Scope3, and Scopes assign the IP addresses of the DNS servers to the DHCP clients. The solution must minimize administrative effort.
What should you do?
A. Create a superscope and a filter.
B. Create a superscope and scope-level policies.
C. Configure the Server Options.
D. Configure the Scope Options.
Answer: D
Explanation:
Scope options are applied to any clients that obtain a lease within that particular scope.
Active scope option types always apply to all computers obtaining a lease in a given scope
unless they are overridden by class or reserved client settings for the option type.
Incorrect:
Not A, not B. A superscope allows a DHCP server to provide leases from more than one
scope to clients on a single physical network. It is not applicable here.
Not C. If we configure the Server Options and set the DNS Servers then all DHCP clients
would be assigned a DNS server.
Reference: Managing DHCP Options
https://technet.microsoft.com/en-us/library/cc958929.aspx
Q7. HOTSPOT
Your network contains one Active Directory forest named contoso.com. The forest contains the domain controllers configured as shown in the following table.
You perform the following actions:
. Create a file named File1.txt in the SYSVOL folder on DC1.
. Create a user named User1 on DC4. You need to identify on which domain controller or controllers a copy of each object is stored.
What should you identify? To answer, select the appropriate options in the answer area.
Answer:
Q8. Your company recently deployed a new Active Directory forest named contoso.com. The first domain controller in the forest runs Windows Server 2012 R2.
You need to identify the time-to-live (TTL) value for domain referrals to the NETLOGON and SYSVOL shared folders.
Which tool should you use?
A. Ultrasound
B. Replmon
C. Dfsdiag
D. Frsutil
Answer: C
Explanation:
Explanation/Reference:
DFSDIAG can check your configuration in five different ways:
Checking referral responses (DFSDIAG /TestReferral)
Checking domain controller configuration
Checking site associations
Checking namespace server configuration
Checking individual namespace configuration and integrity
Reference: Five ways to check your DFS-Namespaces (DFS-N) configuration with the
DFSDIAG.EXE tool
Q9. HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains an enterprise certification authority (CA).
The domain contains a server named Server1 that runs Windows Server 2012 R2. You install the Active Directory Federation Services server role on Server1.
You plan to configure Server1 as an Active Directory Federation Services (AD FS) server. The Federation Service name will be set to adfs1.contoso.com.
You need to identify which type of certificate template you must use to request a certificate for AD FS.
Answer:
Q10. Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1 that runs Windows Server 2012 R2. DC1 has the DNS Server server role installed.
The network contains client computers that run either Linux, Windows 7, or Windows 8.
You have a zone named adatum.com as shown in the exhibit. (Click the Exhibit button.)
You plan to configure Name Protection on all of the DHCP servers.
You need to configure the adatum.com zone to support Name Protection.
What should you do?
A. Change the zone type.
B. Sign the zone.
C. Add a DNSKEY record.
D. Configure Dynamic updates.
Answer: D
Explanation:
Name protection requires secure update to work. Without name protection DNS names may be hijacked.
You can use the following procedures to allow only secure dynamic updates for a zone. Secure dynamic update is supported only for Active Directory–integrated zones. If the zone type is configured differently, you must change the zone type and directory-integrate the zone before securing it for Domain Name System (DNS) dynamic updates.
Enable secure dynamic updates:
Reference: DHCP: Secure DNS updates should be configured if Name Protection is
enabled on any IPv4 scope http://technet.microsoft.com/en-us/library/ee941152(v=ws.10).aspx
Q11. You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the DNS Server server role installed.
You need to store the contents of all the DNS queries received by Server1.
What should you configure?
A. Logging from Windows Firewall with Advanced Security
B. Debug logging from DNS Manager
C. A Data Collector Set (DCS) from Performance Monitor
D. Monitoring from DNS Manager
Answer: B
Explanation:
Debug logging allows you to log the packets sent and received by a DNS server. Debug logging is disabled by default, and because it is resource intensive, you should only activate it temporarily when you need more specific detailed information about server performance.
Reference: Active Directory 2008: DNS Debug Logging Facts…
Q12. You have five servers that run Windows Server 2012 R2. The servers have the Failover Clustering feature installed. You deploy a new cluster named Cluster1. Cluster1 is configured as shown in the following table.
Server1, Server2, and Server3 are configured as the preferred owners of the cluster roles. Dynamic quorum management is disabled.
You plan to perform hardware maintenance on Server3.
You need to ensure that if the WAN link between Site1 and Site2 fails while you are performing maintenance on Server3, the cluster resource will remain available in Site1.
What should you do?
A. Add a file share witness in Site1.
B. Enable DrainOnShutdown on Cluster1.
C. Remove the node vote for Server4 and Server5.
D. Remove the node vote for Server3.
Answer: C
Explanation:
Recommended Adjustments to Quorum Voting When enabling or disabling a given WSFC (Windows Server Failover Clustering) node’s vote, follow these guidelines:
* Exclude secondary site (here site2) nodes (here server4 and server5). In general, do not give votes to WSFC nodes that reside at a secondary disaster recovery site. You do not want nodes in the secondary site to contribute to a decision to take the cluster offline when there is nothing wrong with the primary site.
Reference: WSFC Quorum Modes and Voting Configuration (SQL Server)
Q13. You have a server named LON-DC1 that runs Windows Server 2012 R2. An iSCSI virtual disk named VirtualiSCSI1.vhd exists on LON-DC1 as shown in the exhibit. (Click the Exhibit button.)
You create a new iSCSI virtual disk named VirtualiSCSI2.vhd by using the existing itgt iSCSI target.
VirtualiSCSIl.vhd is removed from LON-DC1.
You need to assign VirtualiSCSI2.vhd a logical unit value of 0.
What should you do?
A. Modify the properties of the itgt ISCSI target.
B. Modify the properties of the VirtualiSCSI2.vhd iSCSI virtual disk.
C. Run the Set-VirtualDisk cmdlet and specify the -Uniqueld parameter.
D. Run the iscsicli command and specify the reportluns parameter.
Answer: B
Explanation:
The virtual disk has the option to change the lun ID, no other option available in the answers appear to allow this change.
Note: Logical unit numbers (LUNs) created on an iSCSI disk storage subsystem are not directly assigned to a server. For iSCSI, LUNs are assigned to logical entities called targets.
Q14. Your network contains one Active Directory domain named contoso.com. The domain contains the domain controllers configured as shown in the following table.
The functional level of the domain and the forest is Windows Server 2008.
An administrator named Admin1 is a member of the Domain Admins group.
You need to ensure that Admin1 can deploy a Windows Server 2012 R2 domain controller to contoso.com.
What should you do?
A. Raise the forest functional level.
B. Run the Set-ADForestMode cmdlet.
C. Raise the domain functional level.
D. Run the adprep.exe command.
Answer: D
Explanation: Adprep.exe commands run automatically as needed as part of the AD DS installation process on servers that run Windows Server 2012 or later. The commands need to run in the following cases:
* Before you add the first domain controller that runs a version of Windows Server that is later than the latest version that is running in your existing domain.
* Before you upgrade an existing domain controller to a later version of Windows Server, if that domain controller will be the first domain controller in the domain or forest to run that version of Windows Server.
Reference: Running Adprep.exe
https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx
Q15. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Active Directory Certificate Services server role installed and is configured as an enterprise certification authority (CA).
You need to ensure that all of the users in the domain are issued a certificate that can be used for the following purposes:
Email security
Client authentication
Encrypting File System (EFS)
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. From a Group Policy, configure the Certificate Services Client – Auto-Enrollment settings.
B. From a Group Policy, configure the Certificate Services Client – Certificate Enrollment Policy settings.
C. Modify the properties of the User certificate template, and then publish the template.
D. Duplicate the User certificate template, and then publish the template.
E. From a Group Policy, configure the Automatic Certificate Request Settings settings.
Answer: A,D
Explanation:
The default user template supports all of the requirements EXCEPT auto enroll as shown below:
However a duplicated template from users has the ability to autoenroll:
The Automatic Certificate Request Settings GPO setting is only available to Computer, not user.
Reference: Manage Certificate Enrollment Policy by Using Group Policy. http://technet.microsoft.com/en-us/library/dd851772.aspx
Q16. Your network contains an Active Directory forest named adatum.com. The forest contains an Active Directory Rights Management Services (AD RMS) cluster.
A partner company has an Active Directory forest named litwareinc.com. The partner company does not have AD RMS deployed.
You need to ensure that users in litwareinc.com can consume rights-protected content from adatum.com.
Which type of trust policy should you create?
A. At federated trust
B. A trusted user domain
C. A trusted publishing domain
D. Windows Live ID
Answer: A
Explanation:
In AD RMS rights can be assigned to users who have a federated trust with Active Directory Federation Services (AD FS). This enables an organization to share access to rights-protected content with another organization without having to establish a separate Active Directory trust or Active Directory Rights Management Services (AD RMS) infrastructure.
Reference: AD RMS and AD FS Considerations
http://technet.microsoft.com/en-us/library/dd772651(v=WS.10).aspx