[Free] Download New Latest (November) Microsoft 70-417 Actual Tests 1-10

Ensurepass

QUESTION 1

Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2. The domain contains two servers. The servers are configured as shown in the following table.

 

clip_image002

 

All client computers run Windows 8 Enterprise.

 

You plan to deploy Network Access Protection (NAP) by using IPSec enforcement.

 

A Group Policy object (GPO) named GPO1 is configured to deploy a trusted server group to all of the client computers.

 

You need to ensure that the client computers can discover HRA servers automatically.

 

Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)

 

A.

On Server2, configure the EnableDiscovery registry key.

B.

On DC1, create an alias (CNAME) record.

C.

On DC1, create a service location (SRV) record.

D.

In a GPO, modify the Request Policy setting for the NAP Client Configuration.

E.

On all of the client computers, configure the EnableDiscovery registry key.

 

Correct Answer: CDE

Explanation:

http://technet.microsoft.com/en-us/library/dd296901(v=ws.10).aspx

clip_image004

 

 

 

 

QUESTION 2

DRAG DROP

Your network contains an Active Directory domain named contoso.com. The domain contains two DHCP servers named DHCP1 and DHCP2 that run Windows Server 2012.

 

You install the IP Address Management (IPAM) Server feature on a member server named Server1 and you run the Run Invoke-IpamGpoProvisioningcmdlet.

 

You need to manage the DHCP servers by using IPAM on Server1.

 

Which three actions should you perform?

 

To answer, move the three appropriate actions from the list of actions to the answer area and arrange them in the correct order.

 

clip_image006

 

Correct Answer:

clip_image008

 

 

 

 

 

 

 

 

 

 

 

QUESTION 3

Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2.

 

You pre-create a read- only domain controller (RODC) account named RODC1. You export the settings of RODC1 to a file named File1.txt.

 

You need to promote RODC1 by using File1.txt.

 

Which tool should you use?

 

A.

The Install-WindowsFeaturecmdlet

B.

The Add-WindowsFeaturecmdlet

C.

TheDism command

D.

TheDcpromo command

E.

The Install-ADDSDomainControllercmdlet

 

Correct Answer: D

Explanation:

DCPromo is gone, HOWEVER, it is still used for unattend installations using unattended files. This allows administrators the chance to get used to using powershell commands instead of the unattended file.

 

http://technet.microsoft.com/en-us/library/hh472162.aspx

http://technet.microsoft.com/en-us/library/jj205467.aspx

 

Install-WindowsFeature Installs one or more Windows Server roles, role services, or features on either the local or a specified remote server that is running Windows Server 2012 R2. This cmdlet is equivalent to and replaces Add- WindowsFeature, the cmdlet that was used to install roles, role services, and features in Windows Server 2008 R2. So the 2 first answers are the same and we only have one choice here…

 

 

QUESTION 4

Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2.

 

Server1 has the IP Address Management (IPAM) Server feature installed. IPAM is configured currently for Group Policy-based provisioning.

 

You need to change the IPAM provisioning method on Server1.

 

What should you do?

 

A.

Run the ipamgc.exe command.

B.

Run the ipamgc.exe command.

C.

Run the Set-IPAMConfigurationcmdlet.

D.

Reinstall the IP Address Management (IPAM) Server feature.

E.

Delete IPAM Group Policy objects (GPOs) from the domain.

 

Correct Answer: D

Explanation:

You cannot change the provisioning method after completing the initial setup. When you install IPAM and configure either manual OR GPO, you receive the same message about not being able to change the provisioning method. As a matter of fact, I set it up in my lab and configured it as GPO. Here is a copy/paste of the message that is presently on the IPAM home page in server manager: “The access configuration mode cannot be modified after completing the IPAM provisioning wizard”

 

Also, the help console in IPAM displays this when searching about provisioning methods: “The managed server provisioning method cannot be changed after you complete the IPAM provisioning wizard.”

 

clip_image010

 

 

QUESTION 5

DRAG DROP

Your network contains an Active Directory domain named adatum.com. The domain contains three servers. The servers are configured as shown in the following table.

 

clip_image012

 

Server1 is configured as shown in the exhibit. (Click the Exhibit button.)

 

clip_image014

 

Template1 contains custom cryptography settings that are required by the corporate security team.

 

On Server2, an administrator successfully installs a certificate based on Template1.

 

The administrator reports that Template1 is not listed in the Certificate Enrollment wizard on Server3, even after selecting the Show all templates check box.

 

You need to ensure that you can install a server authentication certificate on Server3. The certificate must comply with the cryptography requirements.

 

Which three actions should you perform in sequence?

 

To answer, move the appropriate three actions from the list of actions to the answer area and arrange them in the correct order.

 

clip_image016

 

Correct Answer:

clip_image018

 

 

QUESTION 6

Your network contains a single Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2.

 

The domain contains 400 desktop computers that run Windows 8 and 200 desktop computers that run Windows Vista Service Pack 2(SP2).

 

All of the desktop computers are located in an organizational unit (OU) named OU1.

 

You create a Group Policy object (GPO) named GPO1. GPO1 contains startup script settings.

 

You link GPO1 to OU1.

 

You need to ensure that GPO1 is applied only to computers that run Windows 8.

 

What should you do?

 

A.

Modify the Security settings of OU1.

B.

Create and link a WMI filter to GPO1.

C.

Run the Set-GPInheritancecmdlet and specify the -target parameter.

D.

Run the Set-GPLinkcmdlet and specify the -target parameter.

 

Correct Answer: B

Explanation:

WMI Filtering is used to get information of the system and apply the GPO on it with the condition is met.Security filtering: apply a GPO to a specific group (members of the group)

 

 

 

 

 

 

QUESTION 7

Your network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2. All servers run Windows Server 2012 R2.

 

Server1 and Server2 have the Failover Clustering feature installed. The servers are configured as nodes in a failover cluster named Cluster1. Cluster1 contains a file server role named FS1 and a generic service role named SVC1. Server1 is the preferred node for FS1. Server2 is the preferred node for SVC1.

 

You plan to run a disk maintenance tool on the physical disk used by FS1.

 

You need to ensure that running the disk maintenance tool does not cause a failover to occur.

 

What should you do before you run the tool?

 

A.

Run Suspend-ClusterNode.

B.

Run cluster.exe and specify the offline parameter.

C.

Run Suspcnd-ClusterResource.

D.

Run cluster.exe and specify the pause parameter.

 

Correct Answer: D

 

 

QUESTION 8

Your network contains an Active Directory domain named contoso.com. The network contains a file server named Server1 that runs Windows Server 2012 R2. You create a folder named Folder1. You share Folder1 as Share1.

 

The NTFS permissions on Folder1 are shown in the Folder1 exhibit. (Click the Exhibit button.)

 

clip_image020

 

The Everyone group has the Full control Share permission to Folder1.

You configure a central access policy as shown in the Central Access Policy exhibit. (Click the Exhibit button.)

 

clip_image022

 

Members of the IT group report that they cannot modify the files in Folder1. You need to ensure that the IT group members can modify the files in Folder1. The solution must use central access policies to control the permissions. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

 

A.

On the Security tab of Folder1, remove the permission entry for the IT group.

B.

On the Classification tab of Folder1, set the classification to “Information Technology”.

C.

On the Security tab of Folder1, assign the Modify permission to the Authenticated Users group.

D.

On Share1, assign the Change Share permission to the IT group.

E.

On the Security tab of Folder1, add a conditional expression to the existing permission entry for the IT group.

 

Correct Answer: BC

Explanation:

A: On the Security tab of Folder1, remove the permission entry for the IT group. => tested => it failed of course, users don’t even have read permissions anymore

D: On Share1, assign the Change share permission to the IT group =>Everyone already has the full control share permission => won’t solve the problem which is about the NTFS Read permission

E: On the Security tab of Folder1, add a conditional expression to the existing permission entry for the IT group

=> how could a condition, added to a read permission, possibly transform a read to a modify permission? If they had said “modify the permission and add a conditional expression” => ok (even if that’s stupid, it works) a condition is Applied to the existing permissions to filter existing access to only matching users or groups so if we Apply a condition to a read permission, the result will only be that less users (only them matching the conditions) will get those read permissions, which actually don’t solve the problem neither so only one left:

C: On the Security tab of Folder1, assign the Modify permission to the Authenticated Users group => for sure it works and it’s actually the only one which works, but what about security? well i first did not consider this method => “modify” permission for every single authenticated users? But now it looks very clear:

 

THE MORE RESTRICTIVE PERMISSION IS ALWAYS THE ONE APPLIED!! So “Modify” for Authenticated Users group and this will be filtered by the DAC who only allows IT group. and it matches the current settings that no other user (except admin, creator owner, etc…) can even read the folder. and this link confirms my theory:

 

http://autodiscover.wordpress.com/2012/09/12/configuring-dynamic-access-controls- andfileclassificationpart4-winservr-2012-dac-microsoft- mvpbuzz/

 

Configuring Dynamic Access Controls and File Classification

 

Note:

In order to allow DAC permissions to go into play, allow everyone NTFS full control permissions and then DAC will overwrite it, if the user doesn’t have NTFS permissions he will be denied access even if DAC grants him access. And if this can help, a little summary of configuring DAC:

 

clip_image024

 

 

 

 

QUESTION 9

Which of the following reasons justifies why you should audit failed events?

 

A.

To log resource access for reporting and billing

B.

To monitor for malicious attempts to access a resource which has been denied

C.

None of these

D.

To monitor access that would suggest users are performing actions greater than you had planned

 

Correct Answer: B

Explanation:

http://technet.microsoft.com/en-us/library/cc778162%28v=ws.10%29.aspx

Auditing Security Events Best practices

If you decide to audit failure events in the policy change event category, you can see if unauthorized users or attackers are trying to change policy settings, including security policy settings. Although this can be helpful for intrusion detection, the increase in resources that is required and the possibility of a denial-of-service attack usually outweigh the benefits.

 

 

QUESTION 10

DRAG DROP

You have a server named Server2 that runs Windows Server 2012 R2. You have storage provisioned on Server2 as shown in the exhibit. (Click the Exhibit button.)

 

clip_image026

 

You need to configure the storage so that it appears in Windows Explorer as a drive letter on Server1.

 

Which three actions should you perform in sequence?

To answer, move the three appropriate actions from the list of actions to the answer area and arrange them in the correct order.

 

clip_image028

 

Correct Answer:

clip_image030

 

Free VCE & PDF File for Microsoft 70-417 Actual Tests

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…