Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. You have a server named Server1 that runs Windows Server 2012 R2.
From Server Manager, you install the Active Directory Certificate Services server role on
Server1.
A domain administrator named Admin1 logs on to Server1.
When Admin1 runs the Certification Authority console, Admin1 receive the following error message.
You need to ensure that when Admin1 opens the Certification Authority console on Server1, the error message does not appear.
What should you do?
A. Run the Install-AdcsCertificationAuthority cmdlet.
B. Install the Active Directory Certificate Services (AD CS) tools.
C. Modify the PATH system variable.
D. Add Admin1 to the Cert Publishers group.
Answer: B
Explanation:
* Cannot manage Active Directory Certificate Services
The error message is related to missing role configuration.
* Cannot Manage Active Directory Certificate Services Resolution: configure the two Certification Authority and Certification Authority Web Enrollment Roles.
* Active Directory Certificate Services (AD CS) is an Active Directory tool that lets administrators customize services in order to issue and manage public key certificates.
AD CS included:
CA Web enrollment - connects users to a CA with a Web browser
Certification authorities (CAs) - manages certificate validation and issues certificates
Etc.
Incorrect:
Not A. The CA is installed, it just need to be configured correctly.
Note: Install-AdcsCertificationAuthority
The Install-AdcsCertificationAuthority cmdlet performs installation and configuration of the
AD CS CA role service.
Reference: Cannot manage Active Directory Certificate Services in Server 2012 Error
0x800070002; Active Directory Certificate Services (AD CS) Definition
http://searchwindowsserver.techtarget.com/definition/Active-Directory-Certificate-Services-
AD-CS
Q2. Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1 that runs Windows Server 2012 R2. DC1 has the DNS Server server role installed.
The network contains client computers that run either Linux, Windows 7, or Windows 8.
You have a zone named adatum.com as shown in the exhibit. (Click the Exhibit button.)
You plan to configure Name Protection on all of the DHCP servers.
You need to configure the adatum.com zone to support Name Protection.
What should you do?
A. Change the zone type.
B. Sign the zone.
C. Add a DNSKEY record.
D. Configure Dynamic updates.
Answer: D
Explanation:
Name protection requires secure update to work. Without name protection DNS names may be hijacked.
You can use the following procedures to allow only secure dynamic updates for a zone. Secure dynamic update is supported only for Active Directory–integrated zones. If the zone type is configured differently, you must change the zone type and directory-integrate the zone before securing it for Domain Name System (DNS) dynamic updates.
Enable secure dynamic updates:
Reference: DHCP: Secure DNS updates should be configured if Name Protection is
enabled on any IPv4 scope http://technet.microsoft.com/en-us/library/ee941152(v=ws.10).aspx
Q3. HOTSPOT
Your network contains one Active Directory forest named contoso.com. The forest contains the domain controllers configured as shown in the following table.
You perform the following actions:
. Create a file named File1.txt in the SYSVOL folder on DC1.
. Create a user named User1 on DC4. You need to identify on which domain controller or controllers a copy of each object is stored.
What should you identify? To answer, select the appropriate options in the answer area.
Answer:
Q4. Your network contains an Active Directory domain named contoso.com. The domain
contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Active Directory Rights Management Services server role installed.
Your company works with a partner organization that does not have its own Active Directory Rights Management Services (AD RMS) implementation.
You need to create a trust policy for the partner organization.
The solution must meet the following requirements:
. Grant users in the partner organization access to protected content. . Provide users in the partner organization with the ability to create protected content.
Which type of trust policy should you create?
A. A federated trust
B. Windows Live ID
C. A trusted publishing domain
D. A trusted user domain
Answer: A
Explanation:
In AD RMS rights can be assigned to users who have a federated trust with Active
Directory Federation Services (AD FS). This enables an organization to share access to
rights-protected content with another organization without having to establish a separate
Active Directory trust or Active Directory Rights Management Services (AD RMS)
infrastructure.
Incorrect:
Not C. Trusted publishing domains allow one AD RMS server to issue use licenses that
correspond with a publishing license issued by another AD RMS server, but in this scenario
the partner organization does not have any Active Directory.
Not D. A trusted user domain, often referred as a TUD, is a trust between AD RMS
clusters, but in this scenario the partner organization does not have any Active Directory.
Reference: AD RMS and AD FS Considerations
http://technet.microsoft.com/en-us/library/dd772651(v=WS.10).aspx
Q5. Your network contains an Active Directory domain named contoso.com. The domain contains a member server named Server1 that has the Active Directory Federation Services server role installed. All servers run Windows Server 2012.
You complete the Active Directory Federation Services Configuration Wizard on Server1. You need to ensure that client devices on the internal network can use Workplace Join. Which two actions should you perform on Server1? (Each correct answer presents part of the solution. Choose two.)
A. Run Enable-AdfsDeviceRegistration -PrepareActiveDirectory.
B. Edit the multi-factor authentication global authentication policy settings.
C. Run Enable-AdfsDeviceRegistration.
D. Run Set-AdfsProxyProperties HttpPort 80.
E. Edit the primary authentication global authentication policy settings.
Answer: C,E
Explanation:
C. To enable Device Registration Service
On your federation server, open a Windows PowerShell command window and type:
Enable-AdfsDeviceRegistration
Repeat this step on each federation farm node in your AD FS farm.
E. Enable seamless second factor authentication
Seamless second factor authentication is an enhancement in AD FS that provides an
added level of access protection to corporate resources and applications from external
devices that are trying to access them. When a personal device is Workplace Joined, it
becomes a ‘known’ device and administrators can use this information to drive conditional
access and gate access to resources.
To enable seamless second factor authentication, persistent single sign-on (SSO) and
conditional access for Workplace Joined devices.
In the AD FS Management console, navigate to Authentication Policies. Select Edit Global
Primary Authentication. Select the check box next to Enable Device Authentication, and
then click OK.
Reference: Configure a federation server with Device Registration Service.
Q6. Your network contains an Active Directory forest named adatum.com. All servers run Windows Server 2012 R2. The domain contains four servers. The servers are configured as shown in the following table.
You need to deploy IP Address Management (IPAM) to manage DNS and DHCP.
On which server should you install IPAM?
A. Server1
B. Server2
C. Server3
D. Server4
Answer: D
Explanation:
An IPAM server is intended as a single-purpose server. It is not recommended to collocate
other network infrastructure roles such as DNS or DHCP on the same server. IPAM installation is not supported on a domain controller, and discovery of DHCP servers will be disabled if you install IPAM on a server that is also running the DHCP Server service. The following features and tools are automatically installed when you install IPAM Server.
Reference: IPAM Deployment Planning
Q7. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the DHCP Server server role installed.
An administrator installs the IP Address Management (IPAM) Server feature on a server named Server2. The administrator configures IPAM by using Group Policy based provisioning and starts server discovery.
You plan to create Group Policies for IPAM provisioning.
You need to identify which Group Policy object (GPO) name prefix must be used for IPAM Group Policies.
What should you do on Server2?
A. From Server Manager, review the IPAM overview.
B. Run the ipamgc.exe tool.
C. From Task Scheduler, review the IPAM tasks.
D. Run the Get-IpamConfiguration cmdlet.
Answer: D
Explanation:
Example:
http://i.imgur.com/YcHLXhr.jpg
Q8. Your network contains two Active Directory forests named contoso.com and corp.contoso.com.
User1 is a member of the DnsAdmins domain local group in contoso.com.
User1 attempts to create a conditional forwarder to corp.contoso.com but receive an error message shown in the exhibit. (Click the Exhibit button.)
You need to configure bi-directional name resolution between the two forests.
What should you do first?
A. Add User1 to the DnsUpdateProxy group.
B. Configure the zone to be Active Directory-integrated.
C. Enable the Advanced view from DNS Manager.
D. Run the New Delegation Wizard.
Answer: B
Explanation:
The zone must be Active Directory-integrated.
Q9. You have a file server named Server1 that runs a Server Core Installation of Windows Server 2012 R2.
Server1 has a volume named D that contains user data. Server1 has a volume named E that is empty.
Server1 is configured to create a shadow copy of volume D every hour. You need to configure the shadow copies of volume D to be stored on volume E.
What should you run?
A. The Set-Volume cmdlet with the -driveletter parameter
B. The Set-Volume cmdlet with the -path parameter
C. The vssadmin.exe add shadowstorage command
D. The vssadmin.exe create shadow command
Answer: C
Explanation:
Add ShadowStorage
Adds a shadow copy storage association for a specified volume.
Incorrect:
Not A. Sets or changes the file system label of an existing volume. -DriveLetter Specifies a
letter used to identify a drive or volume in the system.
Not B. Create Shadow
Creates a new shadow copy of a specified volume.
Not C. Sets or changes the file system label of an existing volume -Path Contains valid
path information.
Reference: Vssadmin; Set-Volume
http://technet.microsoft.com/en-us/library/cc754968(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/hh848673(v=wps.620).aspx
Q10. Your network contains an Active Directory domain named contoso.com. The domain
contains a certification authority (CA).
You suspect that a certificate issued to a Web server is compromised.
You need to minimize the likelihood that users will trust the compromised certificate.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Stop the Certificate Propagation service.
B. Modify the validity period of the Web Server certificate template.
C. Run certutil and specify the -revoke parameter.
D. Run certutil and specify the -deny parameter.
E. Publish the certificate revocation list (CRL).
Answer: C,E
Explanation: First revoke the certificate, then publish the CRL.
Q11. HOTSPOT
Your network contains an Active Directory domain named contoso.com. All client
computers run Windows 8 Enterprise.
You have a remote site that only contains client computers. All of the client computer
accounts are located in an organizational unit (OU) named Remote1. A Group Policy object
(GPO) named GPO1 is linked to the Remote1 OU.
You need to configure BranchCache for the remote site.
Which two settings should you configure in GPO1?
To answer, select the two appropriate settings in the answer area.
Answer:
Q12. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Active Directory Rights Management Services server role installed.
The domain contains a domain local group named Group1.
You create a rights policy template named Template1. You assign Group1 the rights to Template1.
You need to ensure that all the members of Group1 can use Template1.
What should you do?
A. Configure the email address attribute of Group1.
B. Convert the scope of Group1 to global.
C. Convert the scope of Group1 to universal.
D. Configure the email address attribute of all the users who are members of Group1.
Answer: D
Explanation:
Explanation/Reference: When a user or group is created in Active Directory, the mail attribute is an optional attribute that can be set to include a primary email address for the user or group. For AD RMS to work properly, this attribute must be set because all users must have an email attribute to protect and consume content.
Reference: AD RMS Troubleshooting Guide http://social.technet.microsoft.com/wiki/contents/articles/13130.ad-rms-troubleshooting-guide.aspx
Q13. Your company has offices in Montreal, New York, and Amsterdam.
The network contains an Active Directory forest named contoso.com. An Active Directory site exists for each office. All of the sites connect to each other by using the DEFAULTIPSITELINK site link.
You need to ensure that only between 20:00 and 08:00, the domain controllers in the Montreal office replicate the Active Directory changes to the domain controllers in the Amsterdam office.
The solution must ensure that the domain controllers in the Montreal and the New York offices can replicate the Active Directory changes any time of day.
What should you do?
A. Create a new site link that contains Montreal and Amsterdam. Remove Amsterdam from DEFAULTIPSITE1INK. Modify the schedule of DEFAULTIPSITELINK.
B. Create a new site link that contains Montreal and Amsterdam. Create a new site link bridge. Modify the schedule of DEFAULTIPSITELINK.
C. Create a new site link that contains Montreal and Amsterdam. Remove Amsterdam from DEFAULTIPSITELINK. Modify the schedule of the new site link.
D. Create a new site link that contains Montreal and Amsterdam. Create a new site link bridge. Modify the schedule of the new site link.
Answer: C
Explanation:
We create a new site link between Montreal and Amsterdam and schedule it only between
20:00 and 08:00. To ensure that traffic between Montreal and Amsterdam only occurs at this time we also remove Amsterdam from the DEFAULTIPSITELINK.
Reference: How Active Directory Replication Topology Works
http://technet.microsoft.com/en-us/library/cc755994(v=ws.10).aspx
Q14. You have a server named Server1 that runs Windows Server 2012 R2.
Server1 fails.
You identify that the master boot record (MBR) is corrupt.
You need to repair the MBR.
Which tool should you use?
A. Bcdedit
B. Bcdboot
C. Bootrec
D. Fixmbr
Answer: C
Explanation:
Repairing an unbootable Windows installation with bootrec.exe If the boot/recovery partition is corrupted or lost, you can modify your Windows OS partition to boot.
. Boot from your Windows Vista/7/Server2008/R2/2012 media and choose the
"Repair Windows" option. . Open the command prompt. . Using diskpart, mark your Windows partition as bootable. . If your windows partition does not have it, copy the "boot" folder from the
installation media.
. Run the following commands: >c: >cd boot >attrib bcd -s -h -r >ren c:\boot\bcd bcd.old >bootrec /RebuildBcd Reboot and Windows should boot normally. If not, return to the command prompt and run: >bootrec /FixMBR >bootrec /FixBoot
Incorrect: Not A. BCDEdit is a command-line tool for managing BCD stores. It can be used for a variety of purposes, including creating new stores, modifying existing stores, adding boot menu options, and so on. BCDEdit serves essentially the same purpose as Bootcfg.exe on earlier versions of Windows Not B. The BCDboot tool is a command-line tool that enables you to manage system partition files Not D. Fixmbr is not a tool. Fixmbr is an option when using the bootrec tool.
Reference: Windows BCD Store
http://www.itsgotme.com/wiki/Windows_BCD
Q15. A user named User1 is a member of the local Administrators group on Node1 and Node2.
User1 creates a new clustered File Server role named File1 by using the File Server for general use option.
A report is generated during the creation of File1 as shown in the exhibit. (Click the Exhibit button.)
File1 fails to start.
You need to ensure that you can start File1.
What should you do?
A. Log on to the domain by using the built-in Administrator for the domain, and then recreate the clustered File Server role by using the File Server for general use option.
B. Assign the user account permissions of User1 to the Servers OU.
C. Assign the computer account permissions of Cluster2 to the Servers OU.
D. Increase the value of the ms-DS-MachineAccountQuota attribute of the domain.
E. Recreate the clustered File Server role by using the File Server for scale-out application data option.
Answer: B
Explanation:
Scenario: You have created a Windows Server 2012 Scale-Out File Server. The cluster,
including the network and storage, pass the cluster validation test. Everything looks and is
good. You create a File Server role for application data (SOFS) but it fails to start.
Problem: Basically, the cluster needs permissions to create a computer object (for the
SOFS) in the same Active Directory OU that the cluster object (Demo-FSC1) is stored in.
Resolution: Reconfigure the permissions on the Servers OU.
In this case we assign the user account permissions of User1 to the Servers OU.
Reference: Scale-Out File Server Role Fails To Start With Event IDs 1205, 1069, and 1194
http://www.aidanfinn.com/?p=14142
Q16. You have a server named Server1 that runs Windows Server 2012 R2.
Each day, Server1 is backed up fully to an external disk.
On Server1, the disk that contains the operating system fails.
You replace the failed disk.
You need to perform a bare-metal recovery of Server1 by using the Windows Recovery
Environment (Windows RE).
What should you do?
A. Run the Start-WBVolumeRecovery cmdlet and specify the -backupset parameter.
B. Run the Get-WBBareMetalRecovery cmdlet and specify the -policy parameter.
C. Run the wbadmin.exe start recovery command and specify the -recoverytarget parameter.
D. Run the wbadmin.exe start sysrecovery command and specify the -backuptarget parameter.
Answer: D
Explanation:
Performs a system recovery (bare metal recovery). This subcommand can be run only from the Windows Recovery Environment.
* -backupTarget Specifies the storage location that contains the backup or backups that you want to recover. This parameter is useful when the storage location is different from where backups of this computer are usually stored.
Reference: Wbadmin start sysrecovery
http://technet.microsoft.com/en-us/library/cc742118.aspx