Q251. - (Topic 3)
You work as an administrator at Contoso.com. The Contoso.com network consists of a single domain named Contoso.com. All servers on the Contoso.com network have Windows Server 2012 R2 installed.
You have received instructions to convert a basic disk to a GPT disk.
Which of the following is TRUE with regards to GPT disks? (Choose all that apply.)
A. To convert a basic disk to a GPT disk, the disk must not contain any partitions or volumes.
B. You can convert a basic disk to a GPT disk, regardless of partitions or volumes.
C. GPT is required for disks larger than 2 TB.
D. GPT is required for disks smaller than 2 TB.
E. The GPT partition style can be used on removable media.
F. GPT disks make use of the standard BIOS partition table.
Answer: A,C
Explanation:
A. For a drive to be eligible for conversion to dynamic, all basic data partitions on the drive must be contiguous.
C. GPT allows a much larger partition size greater than 2 terabytes (TB) D. 2 terabytes is the limit for MBR disks.
E. Dynamic disks are not supported on portable computers, removable disks, detachable disks that use USB or IEEE 1394 interfaces.
F. Windows only supports booting from a GPT disk on systems that contain Unified Extensible Firmware Interface (UEFI) boot firmware. Master boot record (MBR) disks use the standard BIOS partition table. GUID partition table (GPT) disks use unified extensible firmware interface (UEFI). One advantage of GPT disks is that you can have more than four partitions on each disk. GPT is also required for disks larger than 2 terabytes. Portable computers and removable media. Dynamic disks are not supported on portable computers, removable disks, detachable disks that use Universal Serial Bus (USB) or IEEE 1394 (also called FireWire) interfaces, or on disks connected to shared SCSI buses. If you are using a portable computer and right-click a disk in the graphical or list view in Disk Management, you will not see the option to convert the disk to dynamic. Dynamic disks are a separate form of volume management that allows volumes to have noncontiguous extents on one or more physical disks. Dynamic disks and volumes rely on the Logical Disk Manager (LDM) and Virtual Disk Service (VDS) and their associated features. These features enable you to perform tasks such as converting basic disks into dynamic disks, and creating fault-tolerant volumes. To encourage the use of dynamic disks, multi-partition volume support was removed from basic disks, and is now exclusively supported on dynamic disks. GPT disks can be converted to MBR disks only if all existing partitioning is first deleted, with associated loss of data.
Q. What happens when a basic disk is converted to dynamic?
A. For a drive to be eligible for conversion to dynamic, all basic data partitions on the drive must be contiguous. If other unrecognized partitions separate basic data partitions, the disk cannot be converted. This is one of the reasons that the MSR must be created before any basic data partitions. The first step in conversion is to separate a portion of the MSR to create the configuration database partition. All non-bootable basic partitions are then combined into a single data container partition. Boot partitions are retained as separate data container partitions. This is analogous to conversion of primary partitions. Windows XP and later versions of the Windows operating system differs from Windows 2000 in that basic and extended partitions are preferentially converted to a single 0x42 partition, rather than being retained as multiple distinct 0x42 partitions as on Windows 2000.
Q252. - (Topic 2)
Your network contains an Active Directory domain named contoso.com.
An organizational unit (OU) named OU1 contains the computer accounts for laptops and
desktop computers.
A Group Policy object (GPO) named GP1 is linked to OU1.
You need to ensure that the configuration settings in GP1 are applied only to a user named
User1.
What should you do?
A. Modify the security settings of OU1.
B. Modify the GPO Status of GP1.
C. Modify the security settings of GP1.
D. Configure the WMI Filter of GP1.
Answer: C
Explanation:
References: Training Guide: Installing and Configuring Windows Server 2012 R2: Chapter 10: Implementing Group Policy, p. 470, 482 http://technet.microsoft.com/en-us/library/jj134176 WMI filtering using GPMC
Q253. - (Topic 1)
In an isolated test environment, you deploy a server named Server1 that runs a Server Core Installation of Windows Server 2012 R2. The test environment does not have Active Directory Domain Services (AD DS) installed.
You install the Active Directory Domain Services server role on Server1.
You need to configure Server1 as a domain controller.
Which cmdlet should you run?
A. Install-ADDSDomainController
B. Install-ADDSDomain
C. Install-ADDSForest
D. Install-WindowsFeature
Answer: C
Explanation:
Install-ADDSDomainController – Installs a domain controller in Active Directory. Install-ADDSDomain – Installs a new Active Directory domain configuration. Install-ADDSForest – Installs a new Active Directory forest configuration. Install-WindowsFeature – Installs one or more Windows Server roles, role services, or features on either the local or a specified remote server that is running Windows Server 2012 R2. This cmdlet is equivalent to and replaces Add-WindowsFeature, the cmdlet that was used to install roles, role services, and features.
C:\PS>Install-ADDSForest -DomainName corp.contoso.com -CreateDNSDelegation DomainMode Win2008 - ForestMode Win 2008 R2 -DatabasePath “d:\NTDS” -SysvolPath “d:\SYSVOL” –LogPath “e:\Logs”Installs a new forest named corp.contoso.com, creates a DNS delegation in the contoso.com domain, sets domain functional level to Windows Server 2008 R2 and sets forest functional level to Windows Server 2008,installs the Active Directory database and SYSVOL on the D:\ drive, installs the log files on the E:\ drive and has the server automatically restart after AD DS installation is complete and prompts the user to provide and confirm the Directory Services Restore Mode (DSRM) password.
Q254. - (Topic 3)
Your network contains a Hyper-V host named Server1 that runs Windows Server 2012 R2.
Server1 hosts a virtual machine named VM1 that runs Windows Server 2012 R2.
You take a snapshot of VM1, and then you install an application on VM1.
You verify that the application runs properly.
You need to ensure that the current state of VM1 is contained in a single virtual hard disk file. The solution must minimize the amount of downtime on VM1.
What should you do?
A. From Hyper-V Manager, delete the snapshot.
B. From a command prompt, run dism.exe and specify the /commit-image parameter.
C. From a command prompt, run dism.exe and specify the /delete-image parameter.
D. From Hyper-V Manager, inspect the virtual hard disk.
Answer: A
Explanation:
Virtual machine snapshots are file-based snapshots of the state, disk data, and configuration of a virtualmachine at a specific point in time. You can take multiple snapshots of a virtual machine, even while it is running. You can then revert the virtual machine to any of the previous states by App1ying a snapshot to the virtualmachine. Taking a snapshot of a VM is to in essence freeze the current state and make it a parent disk based on currentstate, and at the same time create a child disk to capture all subsequent changes. – See more at: Snapshots require adequate storage space. Snapshots are stored as .avhd files in the same location at thevirtual hard disk. Taking multiple snapshots can quickly consume a large amount of storage space. When you use Hyper-V Manager to delete a snapshot, the snapshot is removed from the snapshot treebut the .avhd file is not deleted until you turn off the virtual machine.
Q255. - (Topic 3)
Your network contains an Active Directory forest. The forest contains two domains named contoso.com and corp.contoso.com. All domain controllers run Windows Server 2012 R2 and are configured as global catalog servers. The corp.contoso.com domain contains a domain controller named DC1.
You need to disable the global catalog on DC1.
What should you do?
A. From Active Directory Users and Computers, modify the properties of the DC1 computer account.
B. From Active Directory Administrative Center, modify the properties of the DC1 computer account.
C. From Active Directory Sites and Services, modify the NTDS Settings of the DC1 server object.
D. From Active Directory Domains and Trusts, modify the properties of the corp.contoso.com domain.
Answer: C
Explanation:
To add or remove the global catalog
Open Active Directory Sites and Services. To open Active Directory Sites and Services,
click Start, click Administrative Tools, and then click Active Directory Sites and Services.
To open Active Directory Sites and Services in Windows Server. 2012, click Start, type
dssite.msc.
In the console tree, click the server object to which you want to add the global catalog or
from which you want to remove the global catalog.
Where?
Active Directory Sites and Services\Sites\SiteName\Servers
In the details pane, right-click NTDS Settings of the selected server object, and then click
Properties.
Select the Global Catalog check box to add the global catalog, or clear the check box to
remove the global catalog.
Q256. - (Topic 1)
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the Remote Access server role installed.
A user named User1 must connect to the network remotely. The client computer of User1 requires Challenge Handshake Authentication Protocol (CHAP) for remote connections. CHAP is enabled on Server1.
You need to ensure that User1 can connect to Server1 and authenticate to the domain.
What should you do from Active Directory Users and Computers?
A. From the properties of User1, select Store password using reversible encryption.
B. From the properties of Server1, assign the Allowed to Authenticate permission to User1.
C. From the properties of User1, select Use Kerberos DES encryption types for this account.
D. From the properties of Server1, select Trust this computer for delegation to any service (Kerberos only).
Answer: A
Explanation:
The Store password using reversible encryption policy setting provides support for Applications that use protocols that require the user’s password for authentication. Storing encrypted passwords in a way that irreversible means that the encrypted passwords can be decrypted. A knowledgeable attacker who is able to break this encryption can then log on to network resources by using the compromised account. For this reason, never enable Store password using reversible encryption for all users in the domain unless Application requirements outweigh the need to protect password information. If you use the Challenge Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Services (IAS), you must enable this policy setting. CHAP is an authentication protocol that is used by remote access and network connections. Digest Authentication in Internet Information Services (IIS) also requires that you enable this policy setting. If your organization uses CHAP through remote access or IAS, or Digest Authentication in IIS, you must configure this policy setting to Enabled. This presents a security risk when you App1y the setting through Group Policy on a user-by-user basis because it requires the appropriate user account object to be opened in Active Directory Users and Computers.
Q257. - (Topic 3)
You work as a senior administrator at Contoso.com. The Contoso.com network consists of a single domain named Contoso.com. All servers on the Contoso.com network have Windows Server 2012 R2 installed.
You are running a training exercise for junior administrators. You are currently discussing connection security rules.
Which of the following is TRUE with regards to connection security rules? (Choose all that apply.)
A. Connection security rules allows for traffic to be secured via IPsec.
B. Connection security rules do not allow the traffic through the firewall.
C. Connection security rules are applied to programs or services.
D. Connection security rules are applied between two computers.
Answer: A,B,D
Explanation:
Connection security involves the authentication of two computers before they begin communications and the securing of information sent between two computers. Windows Firewall with Advanced Security uses Internet Protocol security (IPsec) to achieve connection security by using key exchange, authentication, data integrity, and, optionally, data encryption. How firewall rules and connection security rules are related Firewall rules allow traffic through the firewall, but do not secure that traffic. To secure traffic with IPsec, you can create Computer Connection Security rules. However, the creation of a connection security rule does not allow the traffic through the firewall. You must create a firewall rule to do this, if the traffic is not allowed by the default behavior of the firewall. Connection security rules are not applied to programs or services; they are applied between the computers that make up the two endpoints.
Q258. - (Topic 3)
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the Web Server (US) server role installed.
Server1 has a web site named Web1. Web1 is configured to use digest authentication.
You need to ensure that a user named User1 can access Web1.
What should you do from Active Directory Users and Computers?
A. From the properties of User1, select Store password using reversible encryption.
B. From the properties of User1, select Use Kerberos DES encryption types for this account.
C. From the properties of Server1, select Trust this computer for delegation to any service (Kerberos only).
D. From the properties of Server1, assign the Allowed to Authenticate permission to User1.
Answer: A
Explanation:
Challenge Handshake Authentication Protocol (CHAP) is a basic level of iSCSI security that is used to authenticate the peer of a connection and is based upon the peers sharing a secret: that secret being a password. To make sure that User1 can connect to the server, you should use Active Directory Users and Computers to store that password.
Q259. DRAG DROP - (Topic 1)
Your network contains three servers. The servers are configured as shown in the following tablE.
Your company plans to standardize all of the servers on Windows Server 2012 R2.
You need to recommend an upgrade path for each server.
The solution must meet the following requirements: . Upgrade the existing operating system whenever possible. . Minimize hardware purchases. Which upgrade path should you recommend for each server?
To answer, drag the appropriate upgrade path to each server in the answer area. Each upgrade path may be used once, more than once, or not at all.
Answer:
Q260. - (Topic 2)
Your network contains a production Active Directory forest named contoso.com and a test Active Directory forest named contoso.test. A trust relationship does not exist between the forests.
In the contoso.test domain, you create a backup of a Group Policy object (GPO) named GPO1.
You transfer the backup of GPO1 to a domain controller in the contoso.com domain.
You need to create a GPO in contoso.com based on the settings of GPO1.You must achieve this goal by using the minimum amount of Administrative effort.
What should you do?
A. From Windows PowerShell, run the Get- GPO cmdlet and the Copy- GPO cmdlet.
B. From Windows PowerShell, run the New- GPO cmdlet and the Import- GPO cmdlet.
C. From Group Policy Management, create a new starter GPO. Right-click the new starter GPO, and then click Restore from Backup.
D. From Group Policy Management, right-click the Croup Policy Objects container, and then click Manage Backups.
Answer: B
Explanation:
A. Copy-GPO requires domain trust / copy from one domain to another domain within the same forest.
B. The Import-GPO cmdlet imports the settings from a GPO backup into a specified target GPO. The target GPO can be in a different domain or forest than that from which the backup was made and it does not have to exist prior to the operation.
C. This would create a starter GPO, not a GPO.
D: You can also restore GPOs. This operation takes a backed-up GPO and restores it to the same domain from rom the GPO’s original which it was backed up. You cannot restore a GPO from backup into a domain different f domain. The New-GPO cmdlet creates a new GPO with a specified name. By default, the newly created GPO is not linked to a site, domain, or organizational unit (OU). The Import-GPO cmdlet imports the settings from a GPO backup into a specified target GPO. The target GPO can be in a different domain or forest than that from which the backup was made and it does not have to exist prior to the operation. The Restore-GPO cmdlet restores a GPO backup to the original domain from which it was saved. If the original domain is not available, or if the GPO no longer exists in the domain, the cmdlet fails.
Since the GPO’s original domain is different and there is no trust relationship between forests, you should execute the New-GPO command and import the already existing command into the ‘new’ domain.