Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. Your network contains an Active Directory forest named contoso.com. The contoso.com domain only contains domain controllers that run Windows Server 2012 R2.
The forest contains a child domain named child.contoso.com. The child.contoso.com domain only contains domain controllers that run Windows Server 2008 R2. The child.contoso.com domain contains a member server named Server1 that runs Windows Server 2012 R2.
You have access to four administrative user accounts in the forest. The administrative user accounts are configured as shown in the following table.
You need to ensure that you can add a domain controller that runs Windows Server 2012 R2 to the child.contoso.com domain.
Which account should you use to run adprep.exe?
A. Admin1
B. Admin2
C. Admin3
D. Admin4
Answer: C
Explanation:
Adprep.exe performs operations that must be completed on the domain controllers that run
in an existing Active Directory environment before you can add a domain controller that
runs that version of Windows Server.
Preparing to run adprep /domainprep (see step 2 below).
To help ensure that the adprep /domainprep command runs successfully, complete these
steps before you run the command on the infrastructure operations master role holder in
each domain:
. Make sure that the schema updates that adprep /forestprep performs replicated throughout the forest or that they at least replicated to the infrastructure master for the domain where you plan to run adprep /domainprep.
. Make sure that you can log on to the infrastructure master with an account that is a member of the Domain Admins group. . Verify that the domain functional level is appropriate.
Reference: Running Adprep.exe
http://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx
Q2. DRAG DROP
You have a server named Server2 that runs Windows Server 2012 R2. You have storage provisioned on Server2 as shown in the exhibit. (Click the Exhibit button.)
You need to configure the storage so that it appears in Windows Explorer as a drive letter on Server1.
Which three actions should you perform in sequence? To answer, move the three appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Answer:
Q3. Your company recently deployed a new Active Directory forest named contoso.com. The first domain controller in the forest runs Windows Server 2012 R2.
You need to identify the time-to-live (TTL) value for domain referrals to the NETLOGON and SYSVOL shared folders.
Which tool should you use?
A. Ultrasound
B. Replmon
C. Dfsdiag
D. Frsutil
Answer: C
Explanation:
Explanation/Reference:
DFSDIAG can check your configuration in five different ways:
Checking referral responses (DFSDIAG /TestReferral)
Checking domain controller configuration
Checking site associations
Checking namespace server configuration
Checking individual namespace configuration and integrity
Reference: Five ways to check your DFS-Namespaces (DFS-N) configuration with the
DFSDIAG.EXE tool
Q4. HOTSPOT
Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2.
The domain contains two domain controllers. The domain controllers are configured as shown in the following table.
On DC1, you create an Active Directory-integrated zone named Zone1. You verify that
Zone1 replicates to DC2.
You use DNSSEC to sign Zone1.
You discover that the updates to Zone1 fail to replicate to DC2.
You need to ensure that Zone1 replicates to DC2.
What should you configure on DC1?
To answer, select the appropriate tab in the answer area.
Answer:
Q5. HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Active Directory Certificate Services server role installed and configured.
For all users, you are deploying smart cards for logon. You are using an enrollment agent to enroll the smart card certificates for the users.
You need to configure the Contoso Smartcard Logon certificate template to support the use of the enrollment agent.
Which setting should you modify? To answer, select the appropriate setting in the answer area.
Answer:
Q6. Your network contains an Active Directory domain named contoso.com.
A previous administrator implemented a Proof of Concept installation of Active Directory Rights Management Services (AD RMS) on a server named Server1.
After the proof of concept was complete, the Active Directory Rights Management Services server role was removed.
You attempt to deploy AD RMS.
During the configuration of AD RMS, you receive an error message indicating that an existing AD RMS Service Connection Point (SCP) was found.
You need to ensure that clients will only attempt to establish connections to the new AD RMS deployment.
Which should you do?
A. From DNS, remove the records for Server1.
B. From DNS, increase the priority of the DNS records for the new deployment of AD RMS.
C. From Active Directory, remove the computer object for Server1.
D. From Active Directory, remove the SCP.
Answer: D
Explanation: The Active Directory Rights Management Services (AD RMS) Service Connection Point (SCP) is an object in Active Directory that holds the web address of the AD RMS certification cluster. AD RMS-enabled applications use the SCP to discover the AD RMS service; it is the first connection point for users to discover the AD RMS web services.
Only one SCP can exist in your Active Directory forest. If you try to install AD RMS and an SCP already exists in your forest from a previous AD RMS installation that was not properly deprovisioned, the new SCP will not install properly. It must be removed before you can establish the new SCP.
Reference: The AD RMS Service Connection Point
http://social.technet.microsoft.com/wiki/contents/articles/710.the-ad-rms-service-connection-point.aspx
Q7. Your network contains an Active Directory domain named contoso.com. The domain contains a member server named Server1. Server1 has the IP Address Management (IPAM) Server feature installed.
A technician performs maintenance on Server1.
After the maintenance is complete, you discover that you cannot connect to the IPAM server on Server1.
You open the Services console as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that you can connect to the IPAM server.
Which service should you start?
A. Windows Process Activation Service
B. Windows Event Collector
C. Windows Internal Database
D. Windows Store Service (WSService)
Answer: C
Explanation:
Explanation Windows Internal Database
Windows Internal Database is a relational data store that can be used only by Windows
roles and features.
IPAM does not support external databases. Only a Windows Internal Database is
supported.
IPAM stores 3 years of forensics data (IP address leases, host MAC addresses, user
login/logoff information) for 100,000 users in a Windows Internal Database. There is no
database purge policy provided, and the administrator must purge data manually as
needed.
Incorrect:
Not A. IPAM works even if the Windows Process Activation Service is not running.
Not B. IPAM does not require the Windows Event Collector Service. It need to be running
on the managed DC/DNS/DHCP computers.
Not D. IPAM does not require the Windows Store Service. It provides infrastructure support
for Windows Store.This service is started on demand and if disabled applications bought
using Windows Store will not behave correctly.
Reference: IPAM Deployment Planning
Q8. You deploy an Active Directory Federation Services (AD FS) 2.1 infrastructure. The infrastructure uses Active Directory as the attribute store.
Some users report that they fail to authenticate to the AD FS infrastructure.
You discover that only users who run third-party web browsers experience issues.
You need to ensure that all of the users can authenticate to the AD FS infrastructure successfully.
Which Windows PowerShell command should you run?
A. Set-ADFSProperties -ProxyTrustTokenLifetime 1:00:00
B. Set-ADFSProperties -AddProxyAuthenticationRules None
C. Set-ADFSProperties -SSOLifetime 1:00:00
D. Set-ADFSProperties -ExtendedProtectionTokenCheck None
Answer: D
Explanation:
Explanation/Reference: Certain client browser software, such as Firefox, Chrome, and Safari, do not support the Extended Protection for Authentication capabilities that can be used across the Windows platform to protect against man-in-the-middle attacks. To prevent this type of attack from occurring over secure AD FS communications, AD FS 2.0 enforces (by default) that all communications use a channel binding token (CBT) to mitigate against this threat.
Note: Disable the extended Protection for authentication To disable the Extended Protection for Authentication feature in AD FS 2.0
. On a federation server, login using the Administrator account, open the Windows PowerShell command prompt, and then type the following command: Set-ADFSProperties –ExtendedProtectionTokenCheck None . Repeat this step on each federation server in the farm.
Reference: Configuring Advanced Options for AD FS 2.0
Q9. You have 30 servers that run Windows Server 2012 R2.
All of the servers are backed up daily by using Windows Azure Online Backup.
You need to perform an immediate backup of all the servers to Windows Azure Online
Backup.
Which Windows PowerShell cmdlets should you run on each server?
A. Get-OBPolicy | StartOBBackup
B. Start-OBRegistration | StartOBBackup
C. Get-WBPolicy | Start-WBBackup
D. Get-WBBackupTarget | Start-WBBackup
Answer: A
Explanation:
This example starts a backup job using a policy.
Windows PowerShell
PS C:\> Get-OBPolicy | Start-OBBackup
Incorrect:
Not B. Registers the current computer to Windows Azure Backup.
Not C. Not using Azure
Not D. Not using Azure
Reference: Start-OBBackup
http://technet.microsoft.com/en-us/library/hh770406(v=wps.620).aspx
Q10. Your company has two offices. The offices are located in Seattle and Montreal.
The network contains an Active Directory domain named contoso.com. The domain contains two DHCP servers named Server1 and Server2. Server1 is located in the Seattle office. Server2 is located in the Montreal office. All servers run Windows Server 2012 R2.
You need to create a DHCP scope for video conferencing in the Montreal office. The scope must be configured as shown in the following table.
Which Windows PowerShell cmdlet should you run?
A. Add-DhcpServerv4SuperScope
B. Add-DhcpServerv4MulticastScope
C. Add-DHCPServerv4Policy
D. Add-DchpServerv4Scope
Answer: B
Explanation:
The Add-DhcpServerv4MulticastScope cmdlet adds a multicast scope on the Dynamic Host Configuration Protocol (DHCP) server.
Note: IPv4 multicast addresses are defined by the leading address bits of 1110, originating from the classful network design of the early Internet when this group of addresses was designated as Class D. The Classless Inter-Domain Routing (CIDR) prefix of this group is 224.0.0.0/4. The group includes the addresses from 224.0.0.0 to 239.255.255.255.
Reference: Add-DhcpServerv4MulticastScope
Q11. HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2. All servers run Windows Server 2012.
Server1 and Server2 have the Hyper-V server role and the Failover Clustering feature installed.
Server1 and Server2 are members of a cluster named Cluster1. Cluster1 hosts 10 virtual machines.
When you try to migrate a running virtual machine from one server to another, you receive the following error message: "There was an error checking for virtual machine compatibility on the target node."
You need to ensure that the virtual machines can be migrated from one node to another.
From which node should you perform the configuration?
To answer, select the appropriate node in the answer area.
Answer:
Q12. Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. The forest contains three Active Directory sites named SiteA, SiteB, and SiteC. The sites contain four domain controllers. The domain controllers are configured as shown in the following table.
An IP site link exits between each site.
You discover that the users in SiteC are authenticated by the domain controllers in SiteA and SiteB. You need to ensure that the SiteC users are authenticated by the domain controllers in
SiteB, unless all of the domain controllers in SiteB are unavailable. What should you do?
A. Create an SMTP site link between SiteB and SiteC.
B. Decrease the cost of the site link between SiteB and SiteC.
C. Disable site link bridging.
D. Create additional connection objects for DC1 and DC2.
Answer: B
Explanation:
By decreasing the site link cost between SiteB and SiteC the SiteC users would be authenticated by SiteB rather than by SiteA.
Q13. Your network contains an Active Directory domain named contoso.com. The domain
contains two member servers named Server1 and Server2.
You install the DHCP Server server role on Server1 and Server2. You install the IP
Address Management (IPAM) Server feature on Server1.
You notice that you cannot discover Server1 or Server2 in IPAM.
You need to ensure that you can use IPAM to discover the DHCP infrastructure.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. On Server2, create an IPv4 scope.
B. On Server1, run the Add-IpamServerInventory cmdlet.
C. On Server2, run the Add-DhcpServerInDc cmdlet
D. On both Server1 and Server2, run the Add-DhcpServerv4Policy cmdlet.
E. On Server1, uninstall the DHCP Server server role.
Answer: B,C
Explanation:
B. The Add-IpamServerInventory cmdlet adds a new infrastructure server to the IP Address Management (IPAM) server inventory. Use the fully qualified domain name (FQDN) of the server to add to the server inventory.
C. The Add-DhcpServerInDC cmdlet adds the computer running the DHCP server service to the list of authorized Dynamic Host Configuration Protocol (DHCP) server services in the Active Directory (AD). A DHCP server service running on a domain joined computer needs to be authorized in AD so that it can start leasing IP addresses on the network.
Reference: Add-IpamServerInventory; Add-DhcpServerInDC
Q14. DRAG DROP
Your network contains two Active Directory forests named contoso.com and adatum.com. Each forest contains an Active Directory Rights Management Services (AD RMS) root cluster. All servers run Windows Server 2012 R2.
You need to ensure that the rights account certificates issued in adatum.com are accepted by the AD RMS root cluster in contoso.com.
What should you do in each forest?
To answer, drag the appropriate actions to the correct forests. Each action may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Answer:
Q15. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 has an enterprise root certification authority (CA) for contoso.com.
You deploy another member server named Server2 that runs Windows Server 2012 R2 and has the Web Server (IIS) server role installed.
You need to designate a website on Server1 as the certificate revocation list (CRL) distribution point for the CA. The solution must ensure that CRLs are published automatically to Server2.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Create an http:// CRL distribution point (CDP) entry.
B. Configure a CA exit module.
C. Create a file:// CRL distribution point (CDP) entry.
D. Configure a CA policy module.
E. Configure an enrollment agent.
Answer: A,D
Explanation:
A. To specify CRL distribution points in issued certificates Open the Certification Authority snap-in. In the console tree, click the name of the CA. On the Action menu, click Properties , and then click the Extensions tab. Confirm that Select extension is set to CRL Distribution Point (CDP) .
. Do one or more of the following. (The list of CRL distribution points is in the Specify locations from which users can obtain a certificate revocation list (CRL) box.)
/ To indicate that you want to use a URL as a CRL distribution point Click the CRL distribution point, select the Include in the CDP extension of issued certificates check box, and then click OK .
. Click Yes to stop and restart Active Directory Certificate Services (AD CS).
D. You can specify CRL Distribution Points (CDPs) in CAPolicy.inf. Note that any CDP in CAPolicy.inf will take precedence for certificate verifiers over the CDP's specified in the CA policy module.
Note:
CRLDistributionPoint
You can specify CRL Distribution Points (CDPs) for a root CA certificate in the CAPolicy.inf.
This section does not configure the CDP for the CA itself. After the CA has been installed
you can configure the CDP URLs that the CA will include in each certificate that it issues.
The URLs specified in this section of the CAPolicy.inf file are included in the root CA
certificate itself.
Example:
[CRLDistributionPoint]
URL=http://pki.wingtiptoys.com/cdp/WingtipToysRootCA.crl
Q16. DRAG DROP
Your network contains four servers that run Windows Server 2012 R2.
Each server has the Failover Clustering feature installed. Each server has three network
adapters installed. An iSCSI SAN is available on the network.
You create a failover cluster named Cluster1. You add the servers to the cluster.
You plan to configure the network settings of each server node as shown in the following table.
You need to configure the network settings for Cluster1.
What should you do?
To answer, drag the appropriate network communication setting to the correct cluster network. Each network communication setting may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Answer: