70-411 Exam
70 411 exam questions [Jan 2021]
we provide Tested Microsoft 70 411 vce practice question which are the best for clearing 70 411 administering windows server 2012 r2 pdf test, and to get certified by Microsoft Administering Windows Server 2012. The exam 70 411 Questions & Answers covers all the knowledge points of the real 70 411 study guide exam. Crack your Microsoft examcollection 70 411 Exam with latest dumps, guaranteed!
Q41. Your network contains an Active Directory domain named contoso.com. Network Access Protection (NAP) is deployed to the domain.
You need to create NAP event trace log files on a client computer.
What should you run?
A. logman
B. Register-ObjectEvent
C. tracert
D. Register-EngineEvent
Answer: A
Explanation:
You can enable NAP client tracing by using the command line. On computers running Windows Vista., you can enable tracing by using the NAP Client Configuration console. NAP client tracing files are written in Event Trace Log (ETL) format. These are binary files representing trace data that must be decoded by Microsoft support personnel. Use the –o option to specify the directory to which they are written. In the following example, files are written to %systemroot%\tracing\nap. For more information, see Logman (http: //go. microsoft.com/fwlink/?LinkId=143549).
To create NAP event trace log files on a client computer
Open a command line as an administrator.
Type
logman start QAgentRt -p {b0278a28-76f1-4e15-b1df-14b209a12613} 0xFFFFFFFF 9 -o
%systemroot%\tracing\nap\QAgentRt. etl –ets.
Note: To troubleshoot problems with WSHA, use the following GUID: 789e8f15-0cbf-4402-b0ed-0e22f90fdc8d.
Reproduce the scenario that you are troubleshooting.
Type logman stop QAgentRt -ets.
Close the command prompt window.
References:
http: //technet. microsoft. com/en-us/library/dd348461%28v=ws. 10%29. aspx
Q42. Your network contains an Active Directory domain named contoso.com. The domain contains more than 100 Group Policy objects (GPOs). Currently, there are no enforced GPOs.
The domain is renamed to adatum.com.
Group Policies no longer function correctly.
You need to ensure that the existing GPOs are applied to users and computers. You want to achieve this goal by using the minimum amount of administrative effort.
What should you use?
A. Dcgpofix
B. Get-GPOReport
C. Gpfixup
D. Gpresult
E. Gpedit. msc
F. Import-GPO
G. Restore-GPO
H. Set-GPInheritance
I. Set-GPLink
J. Set-GPPermission
K. Gpupdate
L. Add-ADGroupMember
Answer: C
Explanation:
You can use the gpfixup command-line tool to fix the dependencies that Group Policy objects (GPOs) and Group Policy links in Active Directory Domain Services (AD DS) have on Domain Name System (DNS) and NetBIOS names after a domain rename operation.
Reference: http: //technet. microsoft. com/en-us/library/hh852336(v=ws. 10). aspx
Q43. HOTSPOT
Your network contains one Active Directory domain named contoso.com. The domain contains 10 file servers that run Windows Server 2012 R2.
You plan to enable BitLocker Drive Encryption (BitLocker) for the operating system drives of the file servers.
You need to configure BitLocker policies for the file servers to meet the following requirements:
. Ensure that all of the servers use a startup PIN for operating system drives encrypted with BitLocker.
. Ensure that the BitLocker recovery key and recovery password are stored in Active
Directory. Which two Group Policy settings should you configure? To answer, select the appropriate settings in the answer area.
Answer:
Q44. HOTSPOT
You have a server named Server1 that runs Windows Server 2012 R2.
You configure Network Access Protection (NAP) on Server1.
Your company implements a new security policy stating that all client computers must have the latest updates installed. The company informs all employees that they have two weeks to update their computer accordingly.
You need to ensure that if the client computers have automatic updating disabled, they are provided with full access to the network until a specific date and time.
Which two nodes should you configure?
To answer, select the appropriate two nodes in the answer area.
Answer:
Q45. Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2.
The domain contains a server named Server1 that has the Network Policy Server server role and the Remote Access server role installed. The domain contains a server named Server2 that is configured as a RADIUS server.
Server1 provides VPN access to external users.
You need to ensure that all of the VPN connections to Server1 are logged to the RADIUS server on Server2.
What should you run?
A. Add-RemoteAccessRadius -ServerNameServer1 -AccountingOnOffMsg Enabled -SharedSecret "Secret" -Purpose Accounting
B. Set-RemoteAccessAccounting -AccountingOnOffMsg Enabled -AccountingOnOffMsg Enabled
C. Add-RemoteAccessRadius -ServerName Server2 -AccountingOnOffMsg Enabled -SharedSecret "Secret" -Purpose Accounting
D. Set-RemoteAccessAccounting -EnableAccountingType Inbox -AccountingOnOffMsg Enabled
Answer: C
Explanation:
Add-RemoteAccessRadius
Adds a new external RADIUS server for VPN authentication, accounting for DirectAccess
(DA) and VPN, or one-time password (OTP) authentication for DA.
AccountingOnOffMsg<String>
Indicates the enabled state for sending of accounting on or off messages. The acceptable
values for this parameter are:
. Enabled.
. Disabled.
This is the default value. This parameter is applicable only when the RADIUS server is being added for Remote Access accounting.
Q46. Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1 that runs Windows Server 2012 R2.
You view the effective policy settings of Server1 as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that an entry is added to the event log whenever a local user account is created or deleted on Server1.
What should you do?
A. In Servers GPO, modify the Advanced Audit Configuration settings.
B. On Server1, attach a task to the security log.
C. In Servers GPO, modify the Audit Policy settings.
D. On Server1, attach a task to the system log.
Answer: A
Explanation:
When you use Advanced Audit Policy Configuration settings, you need to confirm that these settings are not overwritten by basic audit policy settings. The following procedure shows how to prevent conflicts by blocking the application of any basic audit policy settings.
Enabling Advanced Audit Policy Configuration
Basic and advanced audit policy configurations should not be mixed. As such, it’s best practice to enable Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings in Group Policy to make sure that basic auditing is disabled. The setting can be found under Computer Configuration\Policies\Security Settings\Local Policies\Security Options, and sets the SCENoApplyLegacyAuditPolicy registry key to prevent basic auditing being applied using Group Policy and the Local Security Policy MMC snap-in.
In Windows 7 and Windows Server 2008 R2, the number of audit settings for which success and failure can be tracked has increased to 53. Previously, there were nine basic auditing settings under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy. These 53 new settings allow you to select only the behaviors that you want to monitor and exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive number of log entries. In addition, because Windows 7 and Windows Server 2008 R2 security audit policy can be applied by using domain Group Policy, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity.
Audit Policy settings
Any changes to user account and resource permissions.
Any failed attempts for user logon.
Any failed attempts for resource access.
Any modification to the system files.
Advanced Audit Configuration Settings
Audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as:
. A group administrator has modified settings or data on servers that contain finance information.
. An employee within a defined group has accessed an important file.
. The correct system access control list (SACL) is applied to every file and folder or registry key on a computer or file share as a verifiable safeguard against undetected access.
In Servers GPO, modify the Audit Policy settings - enabling audit account management setting will generate events about account creation, deletion and so on.
Advanced Audit Configuration Settings
Advanced Audit Configuration Settings ->Audit Policy
-> Account Management -> Audit User Account Management
In Servers GPO, modify the Audit Policy settings - enabling audit account management setting will generate events about account creation, deletion and so on.
Reference:
http: //blogs. technet. com/b/abizerh/archive/2010/05/27/tracing-down-user-and-computer-account-deletion-in-active-directory. aspx
http: //technet. microsoft. com/en-us/library/dd772623%28v=ws. 10%29. aspx
http: //technet. microsoft. com/en-us/library/jj852202(v=ws. 10). aspx
http: //www. petri. co. il/enable-advanced-audit-policy-configuration-windows-server. htm
http: //technet. microsoft. com/en-us/library/dd408940%28v=ws. 10%29. aspx
http: //technet. microsoft. com/en-us/library/dd408940%28v=ws. 10%29.
aspx#BKMK_step2
Q47. Your network contains an Active Directory domain named contoso.com. The domain
contains a server named Server1 that runs Windows Server 2008 R2.
You plan to test Windows Server 2012 R2 by using native-boot virtual hard disks (VHDs).
You have a Windows image file named file1.wim.
You need to add an image of a volume to file1.wim.
What should you do?
A. Run imagex.exe and specify the /append parameter.
B. Run imagex.exe and specify the /export parameter.
C. Run dism.exe and specify the /image parameter.
D. Run dism.exe and specify the /append-image parameter.
Answer: D
Explanation: The Deployment Image Servicing and Management (DISM) tool is a command-line tool that enables the creation of Windows image (.wim) files for deployment in a manufacturing or corporate IT environment. The /Append-Image option appends a volume image to an existing .wim file allowing you to store many customized Windows images in a fraction of the space. When you combine two or more Windows image files into a single .wim, any files that are duplicated between the images are only stored once.
Incorrect:
Not A, Not B: Imagex has been retired and replaced by dism.
Reference: Append a Volume Image to an Existing Image Using DISM
https://technet.microsoft.com/en-us/library/hh824916.aspx
Q48. Your network contains an Active Directory forest named contoso.com. The forest functional level is Windows Server 2012 R2. The forest contains a single domain.
You create a Password Settings object (PSO) named PSO1.
You need to delegate the rights to apply PSO1 to the Active Directory objects in an organizational unit named OU1.
What should you do?
A. From Active Directory Users and Computers, run the Delegation of Control Wizard.
B. From Active Directory Administrative Center, modify the security settings of PSO1.
C. From Group Policy Management, create a Group Policy object (GPO) and link the GPO to OU1.
D. From Active Directory Administrative Center, modify the security settings of OU1.
Answer: B
Explanation:
PSOs cannot be applied to organizational units (OUs) directly. If your users are organized into OUs, consider creating global security groups that contain the users from these OUs and then applying the newly defined finegrained password and account lockout policies to them. If you move a user from one OU to another, you must update user memberships in the corresponding global security groups. Go ahead and hit "OK" and then close out of all open windows. Now that you have created a password policy, we need to apply it to a user/group. In order to do so, you must have "write" permissions on the PSO object. We're doing this in a lab, so I'm Domain Admin. Write permissions are not a problem
1. Open Active Directory Users and Computers (Start, point to Administrative Tools, and then click Active Directory Users and Computers).
2. On the View menu, ensure that Advanced Features is checked.
3. In the console tree, expand Active Directory Users and Computers\yourdomain\System\Password Settings Container
4. In the details pane, right-click the PSO, and then click Properties.
5. Click the Attribute Editor tab.
6. Select the msDS-PsoAppliesTo attribute, and then click Edit.
Q49. Your network contains two DNS servers named Server1 and Server2 that run Windows Server 2012 R2. Server1 hosts a primary zone for contoso.com. Server2 hosts a secondary zone for contoso.com.
You need to ensure that Server2 replicates changes to the contoso.com zone every five minutes.
Which setting should you modify in the start of authority (SOA) record?
A. Retry interval
B. Expires after
C. Minimum (default) TTL
D. Refresh interval
Answer: D
Explanation:
By default, the refresh interval for each zone is set to 15 minutes. The refresh interval is used to determine how often other DNS servers that load and host the zone must attempt to renew the zone.
Q50. Your network contains an Active Directory domain named contoso.com. Domain controllers run either Windows Server 2003, Windows Server 2008 R2, or Windows Server 2012 R2.
A support technician accidentally deletes a user account named User1.
You need to use tombstone reanimation to restore the User1 account.
Which tool should you use?
A. Active Directory Administrative Center
B. Ntdsutil
C. Ldp
D. Esentutl
Answer: C
Explanation:
Use Ldp.exe to restore a single, deleted Active Directory object This feature takes advantage of the fact that Active Directory keeps deleted objects in the database for a period of time before physically removing them. use Ldp.exe to restore a single, deleted Active Directory object
The LPD.exe tool, included with Windows Server 2012, allows users to perform operations against any LDAP-compatible directory, including Active Directory. LDP is used to view objects stored in Active Directory along with their metadata, such as security descriptors and replication metadata.
References:
http: //www. petri. co. il/manually-undeleting-objects-windows-active-directory-ad. htm
http: //www. petri. co. il/manually-undeleting-objects-windows-active-directory-ad. htm
http: //technet. microsoft. com/en-us/magazine/2007. 09. tombstones. aspx
http: //technet. microsoft. com/nl-nl/library/dd379509(v=ws. 10). aspx#BKMK_2
http: //technet. microsoft. com/en-us/library/hh875546. aspx
http: //technet. microsoft. com/en-us/library/dd560651(v=ws. 10). aspx