Vendor: Microsoft Exam Code: 70-411 Exam

Vendor: Microsoft
Exam Code: 70-411
Exam Name: Administering Windows Server 2012 R2 Exam
Version: DEMO
QUESTION 1
Your network contains an Active Directory forest named contoso.com. The forest contains a
single domain. All domain controllers run Windows Server 2012 R2.
The domain contains two domain controllers. The domain controllers are configured as shown in
the following table.
Active Directory Recycle Bin is enabled.
You discover that a support technician accidentally removed 100 users from an Active Directory
group named Group1 an hour ago.
You need to restore the membership of Group1.
What should you do?
A.
B.
C.
D.
Apply a virtual machine snapshot to VM1.
Modify the is Deleted attribute of Group1.
Perform tombstone reanimation.
Export and import data by using Dsamain.
Answer: C
Explanation:
Active Directory provides a mechanism for restoring a tombstone back into a normal object. This
is effectively an undelete function for deleted objects. The function is a specially formed LDAP
modify operation that must include two specific attribute modifications: it must remove the
isDeleted attribute (not just set it to FALSE) and it must move the object to another container by
changing the object's distinguishedName. The new distinguishedName typically (but not
necessarily) uses the lastKnownParent attribute as the container and keeps the same RDN minus
the \0ADEL:<objectGUID> component that Active Directory added when it created the tombstone.
Note:
* When deleting an object, Active Directory will not actually delete that object immediately (in
most cases) but rather it will keep it for a period of time as a tombstone object. This means it will
remove some of its attributes, add the isDeleted=True attribute, and place the object in the
Deleted Object container.
* Tombstone reanimation (which has nothing to do with zombies) provides the only way to
recover deleted objects without taking a DC offline, and it's the only way to recover a deleted
object's identity information, such as its objectGUID and objectSid attributes. It neatly solves the
problem of recreating a deleted user or group and having to fix up all the old access control list
(ACL) references, which contain the objectSid of the deleted object. Just keep in mind that
tombstone reanimation does have its own limitations, which I will discuss, so you'll still want to
keep authoritative restores in your box of tricks.
* Restoring an object in Active Directory Recycle Bin to Restore A Deleted Object
In the management console, go to Tools > Active Directory Administrative Center Click the
Deleted Objects folder
Search the list of deleted objects for the object that needs to be restored.
Right-click the selected object and select Restore from the shortcut menu.
Reference: Step-By-Step: Utilizing Active Directory Recycle Bin to Restore A Deleted Object
QUESTION 2
Drag and Drop Question
Your network contains an Active Directory forest named contoso.com. Recently, all of the domain
controllers that ran Windows Server 2003 were replaced by domain controllers that run Windows
Server 2012.
From Event Viewer, you discover SYSVOL journal wrap errors on a domain controller named
dclO.contoso.com.
You need to perform a non-authoritative synchronization of SYSVOL on DC10.
Which three actions should you perform on DC10?
To answer, move the three appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Answer:
Explanation:
Box 1: Stop the Distributed File System (DFS) Replication service.
Box 2: Modify the computer objected DC10 in Active Directory.
Box 3: Start the Distributed File System (DFS) Replication service.
Note:
* In very large replica sets, replica members may encounter the following error during an
authoritative restore (BURFLAGS=D4):
journal_wrap_error
To recover, the affected replica member must be reinitialized with a nonauthoritative restore
(BURFLAGS=D2) where it will synchronize files from an existing inbound partner. This
reinitialization can be time-consuming for large replica sets.
QUESTION 3
Your network contains an Active Directory domain named contoso.com. All domain controllers
run Windows Server 2012 R2. One of the domain controllers is named DC1.
The DNS zone for the contoso.com zone is Active Directory-integrated and has the default
settings.
A server named Server1 is a DNS server that runs a UNIX-based operating system.
You plan to use Server1 as a secondary DNS server for the contoso.com zone.
You need to ensure that Server1 can host a secondary copy of the contoso.com zone.
What should you do?
A. From Windows PowerShell, run the Set-DnsServerPrimaryZone cmdlet and specify the contoso.com
zone as a target.
B. From DNS Manager, modify the Security settings of DC1
C. From DNS Manager, modify the replication scope of the contoso.com zone
D. From DNS Manager, modify the Advanced settings of DC1.
Answer: A
Explanation:
Set-DnsServerPrimaryZone
Changes settings for a DNS primary zone.
Applies To: Windows Server 2012 R2
The Set-DnsServerPrimaryZone cmdlet changes settings for an existing Domain Name System
(DNS) primary zone. You can change values that are relevant for either Active Directoryintegrated zones or file-backed zones.
Examples of parameters include:
/ -NotifyServers<IPAddress[]>
Specifies an array of IP addresses of secondary DNS servers that the DNS master server notifies
of changes to resource records. You need this parameter only if you selected the value
NotifyServers for the Notify parameter.
/ -Notify<String>
Specifies how a DNS master server notifies secondary servers of changes to resource records.
The acceptable values for this parameter are:
-- NoNotify. The zone does not send change notifications to secondary servers. -- Notify. The
zone sends change notifications to all secondary servers. -- NotifyServers. The zone sends
change notifications to some secondary servers. If you choose this option, specify the list of
secondary servers in the NotifyServers parameter.
Reference: Set-DnsServerPrimaryZone
QUESTION 4
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs Windows Server 2012 R2 and has the Network Policy Server
role service installed.
You need to enable trace logging for Network Policy Server (NPS) on Server1.
Which tool should you use?
A.
B.
C.
D.
the Network Policy Server console
the Server Manager console
the tracert.exe command
the netsh.exe command
Answer: D
QUESTION 5
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs Windows Server 2012 R2 and has the DNS Server server role
installed.
Server1 is configured to delete automatically the DNS records of client computers that are no
longer on the network. A technician confirms that the DNS records are deleted automatically from
the contoso.com zone.
You discover that the contoso.com zone has many DNS records for servers that were on the
network in the past, but have not connected to the network for a long time.
You need to set the time stamp for all of the DNS records in the contoso.com zone.
What should you do?
A.
B.
C.
D.
From DNS Manager, modify the Advanced settings from the properties of Server1
From Windows PowerShell, run the Set-DnsServerResourceRecordAging cmdlet
From DNS Manager, modify the Zone Aging/Scavenging Properties
From Windows PowerShell, run the Set-DnsServerZoneAging cmdlet.
Answer: D
QUESTION 6
Your company deploys a new Active Directory forest named contoso.com. The first domain
controller in the forest runs Windows Server 2012. The forest contains a domain controller named
DC10. On DC10, the disk that contains the SYSVOL folder fails. You replace the failed disk. You
stop the Distributed File System (DFS) Replication service. You restore the SYSVOL folder. You
need to perform a non-authoritative synchronization of SYSVOL on DC10. Which tool should you
use before you start the DFS Replication service on DC10?
A.
B.
C.
D.
Dfsgui.msc
Replmon
Adsiedit.msc
Ultrasound
Answer: C
Explanation:
How to perform a non-authoritative synchronization of DFSR-replicated SYSVOL (like "D2" for
FRS)
1. In the ADSIEDIT.MSC tool modify the following distinguished name (DN) value and attribute on
each of the domain controllers that you want to make non-authoritative:
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the
server name>,OU=Domain Controllers,DC=<domain>
msDFSR-Enabled=FALSE
2. Force Active Directory replication throughout the domain.
3. Run the following command from an elevated command prompt on the same servers that you
set as non-authoritative:
DFSRDIAG POLLAD
4. You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being
replicated.
5. On the same DN from Step 1, set:
msDFSR-Enabled=TRUE
6. Force Active Directory replication throughout the domain.
7. Run the following command from an elevated command prompt on the same servers that you
set as non-authoritative:
DFSRDIAG POLLAD
8. You will see Event ID 4614 and 4604 in the DFSR event log indicating SYSVOL has been
initialized. That domain controller has now done a "D2" of SYSVOL. Note: Active Directory
Service Interfaces Editor (ADSI Edit) is a Lightweight Directory Access Protocol (LDAP) editor
that you can use to manage objects and attributes in Active Directory. ADSI Edit (adsiedit.msc)
provides a view of every object and attribute in an Active Directory forest. You can use ADSI Edit
to query, view, and edit attributes that are not exposed through other Active Directory Microsoft
Management Console (MMC) snap-ins: Active Directory Users and Computers, Active Directory
Sites and Services, Active Directory Domains and Trusts, and Active Directory Schema.
Incorrect:
A: Dfsgui is for ealier versions of Windows Server.
B: Replmon is for Windows 2003 and earlier.
Reference: How to force an authoritative and non-authoritative synchronization for DFSRreplicated SYSVOL (like "D4/D2" for FRS)
QUESTION 7
Your network contains a server named Server1 that has the Network Policy and Access Services
server role installed. All of the network access servers forward connection requests to Server1.
You create a new network policy on Server1. You need to ensure that the new policy applies only
to connection requests from Microsoft RAS servers that are located on the 192.168.0.0/24
subnet. Which two configurations should you perforin? (Each correct answer presents part of the
solution.
Choose two.)
A.
B.
C.
D.
E.
F.
Set the MS-RAS Vendor ID condition to $teelHead.
Set the Called Station ID constraint to 192.168.0.
Set the Client IP4 Address condition to 192.168.0.0/24.
Set the MS-RAS Vendor ID condition to ^311$.
Set the Called Station ID constraint to 192.168.0.0/24.
Set the Client IP4 Address condition to 192.168.0.
Answer: DF
Explanation:
D: MS-RAS-Vendor Matches "^311$" ) The condition means that the policy applies only when the
version of the RADIUS client is ^311$, so subsequent settings in this policy apply only to RRAS
machines.
F: Client IPv4 Address
Specifies the Internet Protocol (IP) version 4 address of the RADIUS client that forwarded the
connection request to the NPS server.
QUESTION 8
Your network contains three Network Policy Server (NPS) servers named NPS1, NPS2, and
NPS3. NPS1 is configured as a RADIUS proxy that forwards connection requests to a remote
RADIUS server group named Group1. You need to ensure that NPS2 receives connection
requests. NPS3 must only receive connection requests if NPS2 is unavailable. How should you
configure Group1?
A.
B.
C.
D.
Change the Weight of NPS2 to 10.
Change the Weight of NPS3 to 10.
Change the Priority of NPS2 to 10.
Change the Priority of NPS3 to 10.
Answer: D
QUESTION 9
Your network contains an Active Directory domain named contoso.com. All domain controllers
run Windows Server 2012 R2.
Administrators use client computers that run Windows 8 to perform all management tasks.
A central store is configured on a domain controller named DC1.
You have a custom administrative template file named App1.admx. App1.admx contains
application settings for an application named Appl.
From a client computer named Computer1, you create a new Group Policy object (GPO) named
GPO1.
You discover that the application settings for App1 fail to appear in GPO1.
You need to ensure that the App1 settings appear in all of the new GPOs that you create.
What should you do?
A.
B.
C.
D.
Copy App1.admx to \\Contoso.com\SYSVOL\Contoso.com\Policies\PolicyDefinitions\
From the Default Domain Controllers Policy, add App1.admx to the Administrative Templates.
From the Default Domain Policy, add App1.admx to the Administrative Templates
Copy App1.admx to \\Contoso.com\SYSVOL\Contoso.com\StarterGPOs.
Answer: A
QUESTION 10
Your network contains two Active Directory domains named contoso.com and adatum.com. The
contoso.com domain contains a server named Server1.contoso.com. The adatum.com domain
contains a server named server2.adatum.com. Server1 and Server2 run Windows Server 2012
and have the DirectAccess and VPN (RRAS) role service installed. Server1 has the default
network policies and the default connection request policies. You need to configure Server1 to
perform authentication and authorization of VPN connection requests to Server2. Only users who
are members of Adatum\Group1 must be allowed to connect. Which two actions should you
perform on Server1? (Each correct answer presents part of the solution. Choose two.)
A.
B.
C.
D.
Network policies
Connection request policies
Create a network policy.
Create a connection request policy.
Answer: AD
Explanation:
* Connection request policies are sets of conditions and settings that allow network administrators
to designate which Remote Authentication Dial-In User Service (RADIUS) servers perform the
authentication and authorization of connection requests that the server running Network Policy
Server (NPS) receives from RADIUS clients. Connection request policies can be configured to
designate which RADIUS servers are used for RADIUS accounting.
* With connection request policies, you can use NPS as a RADIUS server or as a RADIUS proxy,
based on factors such as the following:
The time of day and day of the week
The realm name in the connection request
The type of connection being requested
The IP address of the RADIUS client
QUESTION 11
Your network contains an Active Directory domain named contoso.com. The domain contains a
file server named Server1 that runs Windows Server 2012 R2. Server1 has a share named
Share1.
When users without permission to Share1 attempt to access the share, they receive the Access
Denied message as shown in the exhibit. (Click the Exhibit button.)
You deploy a new file server named Server2 that runs Windows Server 2012 R2.
You need to configure Server2 to display the same custom Access Denied message as Server1.
What should you install on Server2?
A.
B.
C.
D.
The Remote Assistance feature
The File Server Resource Manager role service
The Enhanced Storage feature
The Storage Services server role
Answer: B