Administering Windows Server 2012
Question No: 131 HOTSPOT – (Topic 2)
Your network contains 25 Web servers that run Windows Server 2012 R2.
You need to configure auditing policies that meet the following requirements:
-> Generate an event each time a new process is created.
-> Generate an event each time a user attempts to access a file share.
Which two auditing policies should you configure? To answer, select the appropriate two auditing policies in the answer area.
Question No: 132 – (Topic 2)
Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2.
All sales users have laptop computers that run Windows 8. The sales computers are joined to the domain. All user accounts for the sales department are in an organizational unit (OU) named Sales_OU.
A Group Policy object (GPO) named GPO1 is linked to Sales_OU. You need to configure a dial-up connection for all of the sales users. What should you configure from User Configuration in GPO1?
Policies/Administrative Templates/Network/Windows Connect Now
Preferences/Control Panel Settings/Network Options
Policies/Administrative Templates/Windows Components/Windows Mobility Center
Policies/Administrative Templates/Network/Network Connections
Answer: B Explanation:
The Network Options extension allows you to centrally create, modify, and delete dial-up networking and virtual private network (VPN) connections. Before you create a network option preference item, you should review the behavior of each type of action possible with the extension.
To create a new Dial-Up Connection preference item
Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.
In the console tree under Computer Configuration or User Configuration, expand the Preferences folder, and then expand the Control Panel Settings folder.
Right-click the Network Options node, point to New, and select Dial-Up Connection.
http: //technet. microsoft. com/en-us/library/cc772107. aspx http: //technet. microsoft. com/en-us/library/cc772107. aspx http: //technet. microsoft. com/en-us/library/cc772449. aspx
Question No: 133 – (Topic 2)
Your network contains an Active Directory domain named contoso.com. Domain controllers run either Windows Server 2003, Windows Server 2008 R2, or Windows Server 2012 R2.
A support technician accidentally deletes a user account named User1. You need to use tombstone reanimation to restore the User1 account. Which tool should you use?
Active Directory Administrative Center
Answer: C Explanation:
Use Ldp.exe to restore a single, deleted Active Directory object
This feature takes advantage of the fact that Active Directory keeps deleted objects in the database for a period of time before physically removing them.
use Ldp.exe to restore a single, deleted Active Directory object
The LPD.exe tool, included with Windows Server 2012, allows users to perform operations against any LDAP-compatible directory, including Active Directory. LDP is used to view objects stored in Active Directory along with their metadata, such as security descriptors and replication metadata.
http: //www. petri. co. il/manually-undeleting-objects-windows-active-directory-ad. htm http: //www. petri. co. il/manually-undeleting-objects-windows-active-directory-ad. htm http: //technet. microsoft. com/en-us/magazine/2007. 09. tombstones. aspx
http: //technet. microsoft. com/nl-nl/library/dd379509(v=ws. 10). aspx#BKMK_2 http: //technet. microsoft. com/en-us/library/hh875546. aspx
http: //technet. microsoft. com/en-us/library/dd560651(v=ws. 10). aspx
Question No: 134 – (Topic 2)
Your network contains two servers named Server1 and Server2. Both servers run Windows Server 2012 R2 and have the DNS Server server role installed. Server1 hosts a primary zone for contoso.com. Server2 hosts a secondary zone for contoso.com. The zone is not configured to notify secondary servers of changes automatically.
You update several records on Server1.
You need to force the replication of the contoso.com zone records from Server1 to Server2. What should you do from Server2?
Right-click the contoso.com zone and click Reload.
Right-click the contoso.com zone and click Transfer from Master.
Right-click Server2 and click Update Server Data Files.
Right-click Server2 and click Refresh.
Answer: B Explanation:
Initiates zone transfer from secondary server
Open DNS; In the console tree, right-click the applicable zone and click Transfer from master.
http: //technet. microsoft. com/en-us/library/cc779391(v=ws. 10). aspx http: //technet. microsoft. com/en-us/library/cc779391(v=ws. 10). aspx
http: //technet. microsoft. com/en-us/library/cc786985(v=ws. 10). aspx http: //technet. microsoft. com/en-us/library/cc779391(v=ws. 10). aspx
Question No: 135 – (Topic 2)
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Network Policy Server server role installed.
You need to allow connections that use 802.1x. What should you create?
A network policy that uses Microsoft Protected EAP (PEAP) authentication
A network policy that uses EAP-MSCHAP v2 authentication
A connection request policy that uses EAP-MSCHAP v2 authentication
A connection request policy that uses MS-CHAP v2 authentication
Answer: C Explanation:
802.1X uses EAP, EAP-TLS, EAP-MS-CHAP v2, and PEAP authentication methods:
-> EAP (Extensible Authentication Protocol) uses an arbitrary authentication method, such as certificates, smart cards, or credentials.
-> EAP-TLS (EAP-Transport Layer Security) is an EAP type that is used in certificate- based security environments, and it provides the strongest authentication and key determination method.
-> EAP-MS-CHAP v2 (EAP-Microsoft Challenge Handshake Authentication Protocol version 2) is a mutual authentication method that supports password-based user or computer authentication.
-> PEAP (Protected EAP) is an authentication method that uses TLS to enhance the security of other EAP authentication protocols.
Connection request policies are sets of conditions and settings that allow network administrators to designate which Remote Authentication Dial-In User Service (RADIUS) servers perform the authentication and authorization of connection requests that the server running Network Policy Server (NPS) receives from RADIUS clients. Connection request policies can be configured to designate which RADIUS servers are used for RADIUS accounting.
With connection request policies, you can use NPS as a RADIUS server or as a RADIUS
proxy, based on factors such as the following:
-> The time of day and day of the week
-> The realm name in the connection request
-> The type of connection being requested
-> The IP address of the RADIUS client
Question No: 136 – (Topic 2)
Your network contains an Active Directory domain named adatum.com. You have a standard primary zone named adatum.com.
You need to provide a user named User1 the ability to modify records in the zone. Other users must be prevented from modifying records in the zone.
What should you do first?
Run the Zone Signing Wizard for the zone.
From the properties of the zone, modify the start of authority (SOA) record.
From the properties of the zone, change the zone type.
Run the New Delegation Wizard for the zone.
Answer: C Explanation:
The Zone would need to be changed to a AD integrated zone When you use directory- integrated zones, you can use access control list (ACL) editing to secure a dnsZone object container in the directory tree. This feature provides detailed access to either the zone or a specified resource record in the zone. For example, an ACL for a zone resource record can be restricted so that dynamic updates are allowed only for a specified client computer or a secure group, such as a domain administrators group. This security feature is not available with standard primary zones.
DNS update security is available only for zones that are integrated into Active Directory. After you integrate a zone, you can use the access control list (ACL) editing features that are available in the DNS snap-in to add or to remove users or groups from the ACL for a specific zone or for a resource record.
Standard (not an Active Directory integrated zone) has no Security settings:
You need to firstly change the quot;Standard Primary Zonequot; to AD Integrated Zone:
Now there#39;s Security tab:
http: //technet. microsoft. com/en-us/library/cc753014. aspx http: //technet. microsoft. com/en-us/library/cc726034. aspx http: //support. microsoft. com/kb/816101
Question No: 137 – (Topic 2)
You have two Windows Server Update Services (WSUS) servers named Server01 and Server02. Server01 synchronizes from Microsoft Update. Server02 synchronizes updates from Server01. Both servers are members of the same Active Directory domain.
You configure Server01 to require SSL for all WSUS metadata by using a certificate issued by an enterprise root certification authority (CA).
You need to ensure that Server02 synchronizes updates from Server01. What should you do on Server02?
From a command prompt, run wsusutil.exe configuresslproxy server02 443.
From a command prompt, run wsusutil.exe configuressl server01.
From a command prompt, run wsusutil.exe configuresslproxy server01 443.
From the Update Services console, modify the Update Source and Proxy Server options.
Question No: 138 – (Topic 2)
Your network contains an Active Directory domain named adatum.com. All domain controllers run Windows Server 2012 R2. The domain contains a virtual machine named DC2.
On DC2, you run Get-ADDCCIoningExcludedApplicationList and receive the output shown in the following table.
You need to ensure that you can clone DC2.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
Answer: A,E Explanation:
Because domain controllers provide a distributed environment, you could not safely clone an Active Directory domain controller in the past.
Before, if you cloned any server, the server would end up with the same domain or forest, which is unsupported with the same domain or forest. You would then have to run sysprep, which would remove the unique security information before cloning and then promote a domain controller manually. When you clone a domain controller, you perform safe cloning, which a cloned domain controller automatically runs a subset of the sysprep process and promotes the server to a domain controller automatically.
The four primary steps to deploy a cloned virtualized domain controller are as follows:
-> Grant the source virtualized domain controller the permission to be cloned by adding the source virtualized domain controller to the Cloneable Domain Controllers group.
-> Run Get-ADDCCloningExcludedApplicationListcmdlet in Windows PowerShell to determine which services and applications on the domain controller are not compatible with the cloning.
-> Run New-ADDCCloneConfigFile to create the clone configuration file, which is
stored in the C:\Windows\NTDS.
-> In Hyper-V, export and then import the virtual machine of the source domain controller.
Run Get-ADDCCloningExcludedApplicationListcmdlet In this procedure, run the Get- ADDCCloningExcludedApplicationListcmdlet on the source virtualized domain controller to identify any programs or services that are not evaluated for cloning. You need to run the Get-ADDCCloningExcludedApplicationListcmdlet before the New- ADDCCloneConfigFilecmdlet because if the New-ADDCCloneConfigFilecmdlet detects an excluded application, it will not create a DCCloneConfig.xml file. To identify applications or services that run on a source domain controller which have not been evaluated for cloning. Get-ADDCCloningExcludedApplicationList
The clone domain controller will be located in the same site as the source domain controller unless a different site is specified in the DCCloneConfig.xml file.
-> The Get-ADDCCloningExcludedApplicationListcmdlet searches the local domain controller for programs and services in the installed programs database, the services control manager that are not specified in the default and user defined inclusion list. The applications in the resulting list can be added to the user defined exclusion list if they are determined to support cloning. If the applications are not cloneable, they should be removed from the source domain controller before the clone media is created. Any application that appears in cmdlet output and is not included in the user defined inclusion list will force cloning to fail.
-> The Get-ADDCCloningExcludedApplicationListcmdlet needs to be run before the New- ADDCCloneConfigFilecmdlet is used because if the New- ADDCCloneConfigFilecmdlet detects an excluded application, it will not create a DCCloneConfig.xml file.
-> DCCloneConfig.xml is an XML configuration file that contains all of the settings the cloned DC will take when it boots. This includes network settings, DNS, WINS, AD site name, new DC name and more. This file can be generated in a few different ways.
The New-ADDCCloneConfigcmdlet in PowerShell By hand with an XML editor
By editing an existing config file, again with an XML editor (Notepad is not an XML editor.)
You can populate the XML file. . . . . doesn#39;t need to be empty. . . . .
http: //technet. microsoft. com/en-us/library/hh831734. aspx
http: //blogs. dirteam. com/blogs/sanderberkouwer/archive/2012/09/10/new-features-in- active-directory-domain-services-in-windows-server-2012-part-13-domain-controller- cloning. aspx
Question No: 139 – (Topic 2)
Your network contains an Active Directory domain named contoso.com. The functional level of the forest is Windows Server 2008 R2.
Computer accounts for the marketing department are in an organizational unit (OU) named Departments\Marketing\Computers. User accounts for the marketing department are in an OU named Departments\Marketing\Users.
All of the marketing user accounts are members of a global security group named MarketingUsers. All of the marketing computer accounts are members of a global security group named MarketingComputers.
In the domain, you have Group Policy objects (GPOs) as shown in the exhibit. (Click the Exhibit button.)
You create two Password Settings objects named PSO1 and PSO2. PSO1 is applied to MarketingUsers. PSO2 is applied to MarketingComputers.
The minimum password length is defined for each policy as shown in the following table.
You need to identify the minimum password length required for each marketing user.
What should you identify?
Question No: 140 – (Topic 2)
You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the Windows Deployment Services server role installed.
Server1 contains two boot images and four install images.
You need to ensure that when a computer starts from PXE, the available operating system images appear in a specific order.
What should you do?
Modify the properties of the boot images.
Create a new image group.
Modify the properties of the install images.
Modify the PXE Response Policy.
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|