Configuring Advanced Windows Server 2012 R2 Services
Question No: 221 HOTSPOT – (Topic 3)
Your network contains an Active Directory domain named contoso.com. The domain contains the two servers.
The servers are configured as shown in the following table.
You investigate a report about the potential compromise of a private key for a certificate issued to Server2.
You need to revoke the certificate issued to Server2. The solution must ensure that the revocation can be reverted.
Which reason code should you select?
To answer, select the appropriate reason code in the answer area.
If you specify quot;Certificate Holdquot; as the reason for revoking the certificate, it typically means that you may want to unrevoke the certificate at a future time. Only certificates that have been revoked with the reason of quot;Certificate Holdquot; can be unrevoked.
Question No: 222 HOTSPOT – (Topic 3)
You build a test environment. The test environment contains one Active Directory forest. The forest contains a single domain named contoso.com. The domain contains the servers configured as shown in the following table.
You run the following commands.
New-ADReplicationSite Site1 New-ADReplicationSite Site2
New-ADReplicationSubnet -Name “192.168.1.0/24” -Site Site1 New-ADReplicationSubnet -Name “192.168.2.0/24” -Site Site2
New-ADReplicationSiteLink -Name “SiteLink1” -SitesIncluded Site1,Site2 -Cost 100 – ReplicationFrequencyInMinutes 15
You promote Server3 and Server4 to domain controllers by using the default options. Use the drop-down menus to select the answer choice that completes each statement.
*Replication will only occur between Server3 and Server4.
* Values that can be transferred in one replication cycle (replication of the current set of updates between a source and destination domain controller): no limit.
Question No: 223 HOTSPOT – (Topic 3)
Your network contains one Active Directory forest named contoso.com and one Active Directory forest named adatum.com. Each forest contains a single domain.
You have the domain controllers configured as shown in the following table.
You perform the following three actions:
->Create a user named User1 on DC3.
->Create a file named File1.txt in the SYSVOL folder on DC1.
->Create a Group Policy object (GPO) named GPO1 on DC1 and link GPO1 to Site2.
You need to identify on which domain controller or controllers each object is stored.
What should you identify? To answer, select the appropriate options in the answer area.
SYSVOL is simply a folder which resides on each and every domain controller within the domain. It contains the domains public files that need to be accessed by clients and kept synchronised between domain controllers.
Here File1.text will be stored on both domain controllers in contoso.com (DC1 and DC2).
User1 will be stored on both domain controllers in adatum.com (DC3 and DC4), and on the global catalog server in contoso.com (DC1).
The global catalog is the set of all objects in an Active Directory Domain Services (AD DS) forest. A global catalog server is a domain controller that stores a full copy of all objects in the directory for its host domain and a partial, read-only copy of all objects for all other domains in the forest. Global catalog servers respond to global catalog queries.
GPO1 will be stored on the global catalog servers in the forest (Dc1 and DC3).
Question No: 224 DRAG DROP – (Topic 3)
Your network contains one Active Directory domain. The domain contains two Hyper-V hosts named Host1 and Host2 that run Windows Server 2012 R2. Host1 contains a virtual machine named DC5. DC5 is a domain controller that runs Windows Server 2012 R2.
You configure Active Directory to support domain controller cloning for DC5, and then you shut down DC5.
You need to create a clone of DC5 on Host2.
What should you run on each Hyper-V host? To answer, drag the appropriate commands or cmdlets to the correct Hyper-v hosts. Each command or cmdlet may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Explanation: Host1: Export-VM Host2: Import-VM
Use import and export feature, when you want to create a new virtual machine with the same configuration of an existing machine in Hyper-V.
The Export-VM cmdlet exports a virtual machine to disk. The Import-VM cmdlet imports a virtual machine from a file.
Question No: 225 – (Topic 3)
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Active Directory Certificate Services server role installed and is configured to support key archival and recovery.
You create a new Active Directory group named Group1.
You need to ensure that the members of Group1 can request a Key Recovery Agent certificate.
The solution must minimize the permissions assigned to Group1.
Which two permissions should you assign to Group1? (Each correct answer presents part of the solution. Choose two.)
Answer: A,D Explanation:
See step 6 below.
To configure the Key Recovery Agent certificate template
->Open the Certificate Templates snap-in.
->In the console tree, right-click theKey Recovery Agentcertificate template.
->InTemplate, type a new template display name, and then modify any other optional properties as needed.
->On theSecuritytab, clickAdd, type the name of the users you want to issue the key recovery agent certificates to, and then clickOK.
->UnderGroup or user names, select the user names that you just added.
UnderPermissions, select theReadandEnrollcheck boxes, and then clickOK. Reference: Identify a Key Recovery Agent
Question No: 226 – (Topic 3)
Your network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2. All servers run Windows Server 2012 R2.
Server1 and Server2 have the Failover Clustering feature installed. The servers are configured as nodes in a failover cluster named Cluster1. Cluster1 has access to four physical disks. The disks are configured as shown in the following table.
You need to ensure that all of the disks can be added to a Cluster Shared Volume (CSV).
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
Format Disk2 to use NTFS.
Format Disk3 to use NTFS.
Enable BitLocker on Disk4.
Disable BitLocker on Disk1.
Answer: A,D Explanation:
A. In Windows Server 2012 R2, a disk or storage space for a CSV volume must be a basic
disk that is partitioned with NTFS or ReFS, but you cannot use a disk for a CSV that is formatted with FAT or FAT32.
D. CSV supports bitlocker, but you would have to enable it on all nodes in the cluster. Therefore we need to disable bitlocker on Disk1.
Not B. ReFS would work fine. In Windows Server 2012 R2, a disk or storage space for a CSV volume must be a basic disk that is partitioned with NTFS or ReFS.
Not C. Bitlocker must be enabled on all disks for it to work for a CSV.
Reference: Use Cluster Shared Volumes in a Failover Cluster https://technet.microsoft.com/en-us/library/jj612868.aspx
Reference: How to Configure BitLocker Encrypted Clustered Disks in Windows Server 2012
Question No: 227 – (Topic 3)
Your network contains an Active Directory domain named contoso.com. The domain contains an IP Address Management (IPAM) server that uses a Windows Internal Database.
You install a Microsoft SQL Server 2012 instance on a new server. You need to migrate the IPAM database to the SQL Server instance. Which cmdlet should you run?
Answer: D Explanation:
The Move-IpamDatabase cmdlet migrates the IP Address Management (IPAM) database to a Microsoft SQL Server database. You can migrate from Windows Internal Database (WID) or from a SQL Server database. The cmdlet creates a new IPAM schema and copies all data from the existing IPAM database. After the cmdlet completes copying data, it changes IPAM configuration settings to refer to the new database as the IPAM database.
Question No: 228 – (Topic 3)
Your network contains an Active Directory domain named contoso.com.
Domain controllers run either Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 R2.
You have a Password Settings object (PSOs) named PSO1. You need to view the settings of PSO1.
Which tool should you use?
Active Directory Administrative Center
Group Policy Management
Answer: A Explanation:
To implement Fine-Grained Passwords you have to deploy a Windows Server 2012 Domain Controller, with the domain functional level set at Windows Server 2008 or above. You can now accomplish this task in ADAC (Active Directory Administrative Center).
Editing or viewing a policy is as simple as expanding the AD tree and selecting the correct policy within the Password Settings container. Right-click Properties; or double-click opens the policy for editing.
Reference: Guest Post: How to use Fine-Grained Passwords in Windows Server 2012
Question No: 229 – (Topic 3)
You need to verify whether a DNS response from a DNS server is signed by DNSSEC. What should you run?
Answer: C Explanation:
The Resolve-DnsName cmdlet performs a DNS query for the specified name. This cmdlet is functionally similar to the nslookup tool which allows users to query for names. The Resolve-DnsName cmdlet was introduced in Windows Server 2012 and Windows 8 and can be used to display DNS queries that include DNSSEC data.
Sets the DNSSEC OK bit for this query.
Sets the DNSSEC checking-disabled bit for this query
Example: In the following example, the DO=1 flag is set by adding the dnssecok parameter.
PS C:\gt; resolve-dnsname -name finance.secure.contoso.com -type A -server dns1.contoso.com -dnssecok
Not A: Do not use the nslookup command-line tool to test DNSSEC support for a zone. The nslookup tool uses an internal DNS client that is not DNSSEC-aware.
Reference: Resolve-DnsName https://technet.microsoft.com/library/jj590781.aspx Reference: Overview of DNSSEC
Question No: 230 – (Topic 3)
Your network contains two Active Directory forests named contoso.com and adatum.com. All domain controllers run Windows Server 2012 R2.
The adatum.com domain contains a Group Policy object (GPO) named GPO1. An administrator from adatum.com backs up GPO1 to a USB flash drive.
You have a domain controller named dc1.contoso.com. You insert the USB flash drive in dc1.contoso.com.
You need to identify the domain-specific reference in GPO1. What should you do?
From the Migration Table Editor, clickPopulate from Backup.
From Group Policy Management, run the Group Policy Modeling Wizard.
From Group Policy Management, run the Group Policy results Wizard.
From the Migration Table Editor, clickPopulate from GPO.
Answer: A Explanation:
You can auto-populate a migration table by scanning one or more GPOs or backups to extract all references to security principals and UNC paths, and then enter these items into the table as source name entries. This capability is provided by the Populate from GPO and Populate from Backup options.
Reference: The migration table editor https://technet.microsoft.com/sv-se/library/Cc779961(v=WS.10).aspx
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|