Configuring Advanced Windows Server 2012 R2 Services
Question No: 91 – (Topic 2)
Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2.
The domain contains a domain controller named DC1 that is configured as an enterprise root certification authority (CA).
All users in the domain are issued a smart card and are required to log on to their domain- joined client computer by using their smart card.
A user named User1 resigned and started to work for a competing company.
You need to prevent User1 immediately from logging on to any computer in the domain. The solution must not prevent other users from logging on to the domain.
Which tool should you use?
Active Directory Users and Computers
The Certificates snap-in
Active Directory Administrative Center
Answer: D Explanation:
To disable or enable a user account using Active Directory Administrative Center
To open Active Directory Administrative Center, clickStart, clickAdministrative Tools, and then clickActive Directory Administrative Center.
To open Active Directory Users and Computers in Windows Server 2012, clickStart, typedsac.exe.
In the navigation pane, select the node that contains the user account whose status you want to change.
In the management list, right-click the user whose status you want to change.
Depending on the status of the user account, do one of the following:
Reference: Disable or Enable a User Account
Question No: 92 HOTSPOT – (Topic 2)
You have a server named Server1 that runs Windows Server 2012 R2. You are configuring a storage space on Server1.
You need to ensure that the storage space supports tiered storage.
Which settings should you configure?
To answer, select the appropriate options in the answer area.
Disk Allocation: Automatic
* When using tiers, you must fixed provisioning.
http://blogs.technet.com/resized-image.ashx/ size/550×0/ key/communityserver-blogs- components-weblogfiles/00-00-00-91-74/3201.Figure17.jpg
Question No: 93 – (Topic 2)
Your network contains two Active Directory forests named contoso.com and corp.contoso.com.
User1 is a member of the DnsAdmins domain local group in contoso.com.
User1 attempts to create a conditional forwarder to corp.contoso.com but receive an error message shown in the exhibit. (Click the Exhibit button.)
You need to configure bi-directional name resolution between the two forests. What should you do first?
Add User1 to the DnsUpdateProxy group.
Configure the zone to be Active Directory-integrated.
Enable the Advanced view from DNS Manager.
Run the New Delegation Wizard.
Answer: B Explanation:
The zone must be Active Directory-integrated.
Question No: 94 – (Topic 2)
Information and details provided in a question App1y only to that question.
Your network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2. All servers run Windows Server 2012 R2.
Server1 and Server2 have the Network Load Balancing (NLB) feature installed. The servers are configured as nodes in an NLB cluster named Cluster1.
Cluster1 hosts a secure web Application named WebApp1. WebApp1 saves user state information locally on each node.
You need to ensure that when users connect to WebApp1, their session state is maintained.
What should you configure?
The cluster quorum settings
The failover settings
A file server for general use
The Handling priority
The host priority
The possible owner
The preferred owner
the Scale-Out File Server
Answer: B Explanation:
NLB offers three types of client affinity to minimize response time to clients and provide generic support for preserving session state. Each affinity specifies a different method for distributing client requests.
Affinity Single: Single
Multiple requests from the same client must access the same member; useful for clusters within an intranet.
This affinity provides the best support for clients that use sessions on an intranet. These clients cannot use No affinity because their sessions could be disrupted.
Not A. Affinity none: Multiple requests from the same client can access any member; useful for clusters that do not store session state information on individual members.
Reference: Using NLB
Question No: 95 – (Topic 2)
Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1 and Server2 are nodes in a failover cluster named Cluster1. The network contains two servers named Server3 and Server4 that run Windows Server 2012 R2.
Server3 and Server4 are nodes in a failover cluster named Cluster2.
You need to move all of the applications and the services from Cluster1 to Cluster2. What should you do first from Failover Cluster Manager?
On a server in Cluster2, configure Cluster-Aware Updating.
On a server in Cluster2, click Move Core Cluster Resources, and then click Best Possible Node.
On a server in Cluster1, click Move Core Cluster Resources, and then click Best Possible Node.
On a server in Cluster1, click Migrate Roles.
Not A. Cluster Aware Updating can greatly simplify the process of applying operating system patches to Windows Server 2012 or 2012 R2 failover cluster nodes.
Not B. Not C. Move Core Cluster Resources is used to resources from one node to another within the same cluster.
Reference: Migrating Clustered Services and Applications to Windows Server 2012,
Migration Between Two Multi-Node Clusters
Question No: 96 – (Topic 2)
You deploy an Active Directory Federation Services (AD FS) 2.1 infrastructure. The infrastructure uses Active Directory as the attribute store.
Some users report that they fail to authenticate to the AD FS infrastructure.
You discover that only users who run third-party web browsers experience issues.
You need to ensure that all of the users can authenticate to the AD FS infrastructure successfully.
Which Windows PowerShell command should you run?
Set-ADFSProperties -ProxyTrustTokenLifetime 1:00:00
Set-ADFSProperties -AddProxyAuthenticationRules None
Set-ADFSProperties -SSOLifetime 1:00:00
Set-ADFSProperties -ExtendedProtectionTokenCheck None
Answer: D Explanation: Explanation/Reference:
Certain client browser software, such as Firefox, Chrome, and Safari, do not support the Extended Protection for Authentication capabilities that can be used across the Windows platform to protect against man-in-the-middle attacks. To prevent this type of attack from occurring over secure AD FS communications, AD FS 2.0 enforces (by default) that all communications use a channel binding token (CBT) to mitigate against this threat.
Note: Disable the extended Protection for authentication
To disable the Extended Protection for Authentication feature in AD FS 2.0
->On a federation server, login using the Administrator account, open the Windows PowerShell command prompt, and then type the following command:
Set-ADFSProperties -ExtendedProtectionTokenCheck None
->Repeat this step on each federation server in the farm.
Reference: Configuring Advanced Options for AD FS 2.0
Question No: 97 – (Topic 2)
Your network contains two servers that run Windows Server 2012 R2 named Server1 and Server2. Both servers have the File Server role service installed.
On Server2, you create a share named Backups.
From Windows Server Backup on Server1, you schedule a full backup to run every night. You set the backup destination to \\Server2 \Backups.
After several weeks, you discover that \\Server2\Backups only contains the last backup that completed on Server1.
You need to ensure that multiple backups of Server1 are maintained. What should you do?
Modify the Volume Shadow Copy Service (VSS) settings.
Modify the properties of the Windows Store Service (WSService) service.
Change the backup destination.
Configure the permission of the Backups share.
Answer: C Explanation: Explanation/Reference:
The destination in the exhibit shows a network share is used. If a network share is being used only the latest copy will be saved.
Reference: Where should I save my backup?
Question No: 98 – (Topic 2)
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 is an enterprise root certification authority (CA) for contoso.com.
Your user account is assigned the certificate manager role and the auditor role on the contoso.com CA. Your account is a member of the local Administrators group on Server1.
You enable CA role separation on Server1.
You need to ensure that you can manage the certificates on the CA. What should you do?
Remove your user account from the local Administrators group.
Assign the CA administrator role to your user account.
Assign your user account the Bypass traverse checking user right.
Remove your user account from the Manage auditing and security log user right.
Answer: D Explanation:
The separation of CA roles can be enforced using role separation. Once enforced, role separation only allows a user to be assigned a single role. If a user is assigned to more than one role and attempts to perform an operation on the CA, the operation is denied. For this reason, before role separation is enabled, a user should be assigned only one CA role.
Reference: Role Separation
Question No: 99 DRAG DROP – (Topic 2)
Your network contains two Active Directory forests named contoso.com and adatum.com. All domain controllers run Windows Server 2012 R2.
A federated trust exists between adatum.com and contoso.com. The trust provides adatum.com users with access to contoso.com resources.
You need to configure Active Directory Federation Services (AD FS) claim rules for the federated trust.
The solution must meet the following requirements:
->In contoso.com, replace an incoming claim type named Group with an outgoing claim type named Role.
->In adatum.com, allow users to receive their tokens for the relying party by using
their Active Directory group membership as the claim type.
The AD FS claim rules must use predefined templates.
Which rule types should you configure on each side of the federated trust?
To answer, drag the appropriate rule types to the correct location or locations. Each rule type may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Acceptance transform rule set
A set of claim rules that you use on a particular claims provider trust to specify the incoming claims that will be accepted from the claims provider organization and the outgoing claims that will be sent to the relying party trust.
Used on: Claims provider trusts
Issuance Authorization Rule Set
A set of claim rules that you use on a relying party trust to specify the claims that will be issued to the relying party.
Used on: Relying party trusts
Question No: 100 – (Topic 2)
You have a server named Server1 that runs Windows Server 2012 R2.
Server1 has a single volume that is encrypted by using BitLocker Drive Encryption (BitLocker).
BitLocker is configured to save encryption keys to a Trusted Platform Module (TPM). Server1 is configured to perform a daily system image backup.
The motherboard on Server1 is upgraded.
After the upgrade, Windows Server 2012 R2 on Server1 fails to start. You need to start the operating system on Server1 as soon as possible. What should you do?
Start Server1 from the installation media. Run startrec.exe.
Move the disk to a server that has a model of the old motherboard. Start the server from the installation media. Run bcdboot.exe.
Move the disk to a server that has a model of the old motherboard. Start the server. Run tpm.msc.
Start Server1 from the installation media. Perform a system image recovery.
Answer: C Explanation:
By moving the hard drive to server with that has a model of the old motherboard the system would be able to start. As BitLocker was configured to save encryption keys to a Trusted Platform Module (TPM), we can use tpm.msc to access the TPM settings.
Note: After you replaced the motherboard, you need to repopulate the TPM with new information regarding the encryption of the hard disk.
We use these commands to repopulate the information in the TPM (without PIN): manage-bde -delete -protectors C: -type TPM
manage-bde -protectors -add C: -tpm
Not D. After the system image recovery you would still have the new motherboard installed. The problem would return.
Reference: BitLocker – New motherboard replacement
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|