70-411 Exam
Dec 2021 updated: microsoft 70 411
Exam Code: microsoft 70 411 (Practice Exam Latest Test Questions VCE PDF)
Exam Name: Administering Windows Server 2012
Certification Provider: Microsoft
Free Today! Guaranteed Training- Pass 70 411 exam questions Exam.
Q81. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Network Policy Server role service installed.
You plan to configure Server1 as a Network Access Protection (NAP) health policy server for VPN enforcement by using the Configure NAP wizard.
You need to ensure that you can configure the VPN enforcement method on Server1 successfully.
What should you install on Server1 before you run the Configure NAP wizard?
A. A system health validator (SHV)
B. The Host Credential Authorization Protocol (HCAP)
C. A computer certificate
D. The Remote Access server role
Answer: C
Explanation:
Configure NAP enforcement for VPN
This checklist provides the steps required to deploy computers with Routing and Remote
Access Service installed and configured as VPN servers with Network Policy Server (NPS) and Network Access Protection (NAP).
Q82. Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2.
An organizational unit (OU) named OU1 contains 200 client computers that run Windows 8 Enterprise. A Group Policy object (GPO) named GPO1 is linked to OU1.
You make a change to GPO1.
You need to force all of the computers in OU1 to refresh their Group Policy settings immediately. The solution must minimize administrative effort.
Which tool should you use?
A. Server Manager
B. Active Directory Users and Computers
C. The Gpupdate command
D. Group Policy Management Console (GPMC)
Answer: D
Explanation:
Starting with Windows Server. 2012 and Windows. 8, you can now remotely refresh Group Policy settings for all computers in an OU from one central location through the Group Policy Management Console (GPMC). Or you can use the Invoke-GPUpdatecmdlet to refresh Group Policy for a set of computers, not limited to the OU structure, for example, if the computers are located in the default computers container.
References: http: //technet. microsoft. com/en-us//library/jj134201. aspx
http: //blogs. technet. com/b/grouppolicy/archive/2012/11/27/group-policy-in-windows-server-2012-using-remote-gpupdate. aspx
Q83. You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the Windows Server Update Services server role installed.
You need to configure Windows Server Update Services (WSUS) to support Secure Sockets Layer (SSL).
Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)
A. From Internet Information Services (IIS) Manager, modify the connection strings of the WSUS website.
B. Install a server certificate.
C. Run the wsusutil.exe command.
D. Run the iisreset.exe command.
E. From Internet Information Services (IIS) Manager, modify the bindings of the WSUS website.
Answer: B,C,E
Explanation:
Certificate needs to be installed to IIS, Bindings modifies and wsusutil run.
1. First we need to request a certificate for the WSUS web site, so open IIS, click the server
name, then open Server Certificates.
On the Actions pane click Create Domain Certificate.
2. To add the signing certificate to the WSUS Web site in IIS 7.0
On the WSUS server, open Internet Information Services (IIS) Manager.
Expand Sites, right-click the WSUS Web site, and then click Edit Bindings.
In the Site Binding dialog box, select the https binding, and click Edit to open the Edit Site
Binding dialog box.
Select the appropriate Web server certificate in the SSL certificate box, and then click OK.
Click Close to exit the Site Bindings dialog box, and then click OK to close Internet
Information Services (IIS) Manager.
3. WSUSUtil.exe configuressl<FQDN of the software update point site system> (the name
in your certificate)
WSUSUtil.exe configuressl<Intranet FQDN of the software update point site system>.
4. The next step is to point your clients to the correct url, by modifying the existing GPO or
creating a new one. Open the policy Specify intranet Microsoft update service location and
type the new url in the form https: //YourWSUSserver.
The gpupdate /force command will just download all the GPO’s and re-apply them to the client, it won’t force the client to check for updates. For that you need to use wuauclt /resetautorization /detectnow followed by wuauclt /reportnow
References:
http: //technet. microsoft. com/en-us/library/bb680861. aspx
http: //technet. microsoft. com/en-us/library/bb633246. aspx
http: //www. vkernel. ro/blog/configure-wsus-to-use-ssl
Q84. Your network contains an Active Directory domain named contoso.com. The domain contains a read-only domain controller (RODC) named RODC1.
You create a global group named RODC_Admins.
You need to provide the members of RODC_Admins with the ability to manage the hardware and the software on R0DC1. The solution must not provide RODC_Admins with the ability to manage Active Directory objects.
What should you do?
A. From Active Directory Site and Services, configure the Security settings of the RODC1 server object.
B. From Windows PowerShell, run the Set-ADAccountControlcmdlet.
C. From a command prompt, run the dsmgmt local roles command.
D. From Active Directory Users and Computers, configure the Member Of settings of the RODC1 account.
Answer: C
Explanation:
RODC: using the dsmgmt.exe utility to manage local administrators One of the benefits of RODC is that you can add local administrators who do not have full access to the domain administration. This gives them the ability to manage the server but not add or change active directory objects unless those roles are delegated. Adding this type of user is done using the dsmdmt.exe utility at the command prompt.
Q85. Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. The domain contains 500 client computers that run Windows 8.1 Enterprise and Microsoft Office 2013.
You implement a Group Policy central store.
You need to modify the default Microsoft Office 2013 Save As location for all client computers. The solution must minimize administrative effort.
What should you configure in a Group Policy object (GPO)?
A. The Group Policy preferences
B. An application control policy
C. The Administrative Templates
D. The Software Installation settings
Answer: A
Explanation:
Group Policy preferences provide the means to simplify deployment and standardize configurations. They add to Group Policy a centralized system for deploying preferences (that is, settings that users can change later). You can also use Group Policy preferences to configure applications that are not Group Policy-aware. By using Group Policy preferences, you can change or delete almost any registry setting, file or folder, shortcut, and more. You are not limited by the contents of Administrative Template files.
: http://technet.microsoft.com/en-us/library/dn581922.aspx
Q86. Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2. The domain contains two servers. The servers are configured as shown in the following table.
All client computers run Windows 8 Enterprise.
You plan to deploy Network Access Protection (NAP) by using IPSec enforcement.
A Group Policy object (GPO) named GPO1 is configured to deploy a trusted server group to all of the client computers.
You need to ensure that the client computers can discover HRA servers automatically.
Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)
A. On all of the client computers, configure the EnableDiscovery registry key.
B. In a GPO, modify the Request Policy setting for the NAP Client Configuration.
C. On Server2, configure the EnableDiscovery registry key.
D. On DC1, create an alias (CNAME) record.
E. On DC1, create a service location (SRV) record.
Answer: A,B,E
Explanation:
Requirements for HRA automatic discovery
The following requirements must be met in order to configure trusted server groups on NAP client computers using HRA automatic discovery:
Client computers must be running Windows Vista. with Service Pack 1 (SP1) or Windows XP with Service Pack 3 (SP3).
The HRA server must be configured with a Secure Sockets Layer (SSL) certificate.
The EnableDiscovery registry key must be configured on NAP client computers.
DNS SRV records must be configured.
The trusted server group configuration in either local policy or Group Policy must be cleared.
http: //technet. microsoft. com/en-us/library/dd296901. aspx
Q87. Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2.
You create a central store for Group Policy.
You receive a custom administrative template named Template1.admx.
You need to ensure that the settings in Template1.admx appear in all new Group Policy objects (GPOs).
What should you do?
A. From the Default Domain Controllers Policy, add Template1.admx to the Administrative Templates.
B. From the Default Domain Policy, add Template1.admx to the Administrative Templates.
C. Copy Template1.admx to \\Contoso.com\SYSVOL\Contoso.com\Policies\PolicyDefinitions\.
D. Copy Template1.admx to \\Contoso.com\NETLOGON.
Answer: C
Explanation:
Unlike ADM files, ADMX files are not stored in individual GPOs. For domain-based enterprises, administrators can create a central store location of ADMX files that is accessible by anyone with permission to create or edit GPOs.
Q88. You have the following Windows PowerShell Output.
You need to create a Managed Service Account.
What should you do?
A. Run New-ADServiceAccount –Name “service01” –DNSHostName service01.contoso.com –SAMAccountName service01.
B. Run New-AuthenticationPolicySilo, and then run New-ADServiceAccount –Name “service01” –DNSHostName service01.contoso.com.
C. Run Add-KDSRootKey, and then run New-ADServiceAccount –Name “service01” –DNSHostName service01.contoso.com.
D. Run Set-KDSConfiguration, and then run New-ADServiceAccount –Name “service01” –DNSHostName service01.contoso.com.
Answer: C
Explanation: From the exhibit we see that the required key does not exist. First we create this key, then we create the managed service account.
The Add-KdsRootKey cmdlet generates a new root key for the Microsoft Group Key Distribution Service (KdsSvc) within Active Directory (AD). The Microsoft Group KdsSvc generates new group keys from the new root key.
The New-ADServiceAccount cmdlet creates a new Active Directory managed service account.
Reference: New-ADServiceAccount
https://technet.microsoft.com/en-us/library/hh852236(v=wps.630).aspx
Reference: Add-KdsRootKey
ttps://technet.microsoft.com/en-us/library/jj852117(v=wps.630).aspx
Q89. Your network contains an Active Directory domain named adatum.com. All domain controllers run Windows Server 2012 R2. The domain contains a virtual machine named DC2.
On DC2, you run Get-ADDCCIoningExcludedApplicationList and receive the output shown in the following table.
You need to ensure that you can clone DC2.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Option A
B. Option B
C. Option C
D. Option D
E. Option E
Answer: A,E
Explanation:
Because domain controllers provide a distributed environment, you could not safely clone an Active Directory domain controller in the past.
Before, if you cloned any server, the server would end up with the same domain or forest, which is unsupported with the same domain or forest. You would then have to run sysprep, which would remove the unique security information before cloning and then promote a domain controller manually. When you clone a domain controller, you perform safe cloning, which a cloned domain controller automatically runs a subset of the sysprep process and promotes the server to a domain controller automatically.
The four primary steps to deploy a cloned virtualized domain controller are as follows:
. Grant the source virtualized domain controller the permission to be cloned by
adding the source virtualized domain controller to the Cloneable Domain
Controllers group.
. Run Get-ADDCCloningExcludedApplicationListcmdlet in Windows PowerShell to determine which services and applications on the domain controller are not compatible with the cloning.
. Run New-ADDCCloneConfigFile to create the clone configuration file, which is stored in the C:\Windows\NTDS.
. In Hyper-V, export and then import the virtual machine of the source domain controller.
Run Get-ADDCCloningExcludedApplicationListcmdlet In this procedure, run the Get-ADDCCloningExcludedApplicationListcmdlet on the source virtualized domain controller to identify any programs or services that are not evaluated for cloning. You need to run the Get-ADDCCloningExcludedApplicationListcmdlet before the New-ADDCCloneConfigFilecmdlet because if the New-ADDCCloneConfigFilecmdlet detects an excluded application, it will not create a DCCloneConfig.xml file. To identify applications or services that run on a source domain controller which have not been evaluated for cloning.
Get-ADDCCloningExcludedApplicationList
Get-ADDCCloningExcludedApplicationList -GenerateXml
The clone domain controller will be located in the same site as the source domain controller unless a different site is specified in the DCCloneConfig.xml file.
Note:
. The Get-ADDCCloningExcludedApplicationListcmdlet searches the local domain controller for programs and services in the installed programs database, the services control manager that are not specified in the default and user defined inclusion list. The applications in the resulting list can be added to the user defined exclusion list if they are determined to support cloning. If the applications are not cloneable, they should be removed from the source domain controller before the clone media is created. Any application that appears in cmdlet output and is not included in the user defined inclusion list will force cloning to fail.
. The Get-ADDCCloningExcludedApplicationListcmdlet needs to be run before the New- ADDCCloneConfigFilecmdlet is used because if the New-ADDCCloneConfigFilecmdlet detects an excluded application, it will not create a DCCloneConfig.xml file.
. DCCloneConfig.xml is an XML configuration file that contains all of the settings the cloned DC will take when it boots. This includes network settings, DNS, WINS, AD site name, new DC name and more. This file can be generated in a few different ways.
The New-ADDCCloneConfigcmdlet in PowerShell
By hand with an XML editor
By editing an existing config file, again with an XML editor (Notepad is not an XML editor.)
You can populate the XML file. . . . . doesn't need to be empty. . . . .
References: http: //technet. microsoft. com/en-us/library/hh831734. aspx
http: //blogs. dirteam. com/blogs/sanderberkouwer/archive/2012/09/10/new-features-in-active-directory-domain-services-in-windows-server-2012-part-13-domain-controller-cloning. aspx
Q90. You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the File Server Resource Manager role service installed.
Each time a user receives an access-denied message after attempting to access a folder on Server1, an email notification is sent to a distribution list named DL1.
You create a folder named Folder1 on Server1, and then you configure custom NTFS permissions for Folder1.
You need to ensure that when a user receives an access-denied message while attempting to access Folder1, an email notification is sent to a distribution list named DL2. The solution must not prevent DL1 from receiving notifications about other access-denied messages.
What should you do?
A. From Server Manager, run the New Share Wizard to create a share for Folder1 by selecting the SMB Share - Advanced option.
B. From the File Server Resource Manager console, modify the Access-Denied Assistance settings.
C. From the File Server Resource Manager console, modify the Email Notifications settings.
D. From Server Manager, run the New Share Wizard to create a share for Folder1 by selecting the SMB Share -Applications option.
Answer: A
Reference: http://technet.microsoft.com/en-us/library/jj574182.aspx#BKMK_12
Explanation:
When using the email model each of the file shares, you can determine whether access requests to each file share will be received by the administrator, a distribution list that represents the file share owners, or both.
The owner distribution list is configured by using the SMB Share – Advanced file share profile in the New Share Wizard in Server Manager.