[Free] Download New Updated (October 2016) Microsoft 70-411 Real Exam 131-140

Ensurepass

QUESTION 131

Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2.

 

On all of the domain controllers, Windows is installed in C:Windows and the Active Directory database is located in D:WindowsNTDS.

 

All of the domain controllers have a third-party application installed.

 

The operating system fails to recognize that the application is compatible with domain controller cloning.

 

You verify with the application vendor that the application supports domain controller cloning.

 

You need to prepare a domain controller for cloning.

 

What should you do?

 

A.

In D:WindowsNTDS, create an XML file named DCCloneConfig.xml and add the application information to the file.

B.

In the root of a USB flash drive, add the application information to an XML file named DefaultDCCIoneAllowList.xml.

C.

In D:WindowsNTDS, create an XML file named CustomDCCloneAllowList.xml and add the application information to the file.

D.

In C:WindowsSystem32SysprepActionfiles, add the application information to an XML file named Respecialize.xml.

 

Correct Answer: C

Explanation:

Place the CustomDCCloneAllowList.xml file in the same folder as the Active Directory database (ntds. dit) on the source Domain Controller.

 

clip_image002

 

http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2012/09/10/new-features-in-active-directory-domain-services-in-windows-server-2012-part-13-domain-controller-cloning.aspx

http://www.thomasmaurer.ch/2012/08/windows-server-2012-hyper-v-how-to-clone-a-virtual-domain-controller

http://technet.microsoft.com/en-us/library/hh831734.aspx

 

 

 

QUESTION 132

Your network contains an Active Directory domain named contoso.com.

 

You create a user account named User1. The properties of User1 are shown in the exhibit. (Click the Exhibit button.)

 

clip_image004

 

You plan to use the User1 account as a service account. The service will forward authentication requests to other servers.

 

You need to ensure that you can view the Delegation tab from the properties of the User1 account.

 

What should you do first?

 

A.

Configure the Name Mappings of User1.

B.

Modify the user principal name (UPN) of User1.

C.

Configure a Service Principal Name (SPN) for User1.

D.

Modify the Security settings of User1.

 

Correct Answer: C

Explanation:

If you cannot see the Delegation tab, do one or both of the following:

Register a Service Principal Name (SPN) for the user account with the Setspn utility in the support tools on your CD. Delegation is only intended to be used by service accounts, which should have registered SPNs, as opposed to a regular user account which typically does not have SPNs.

Raise the functional level of your domain to Windows Server 2003. For more information, see Related Topics.

 

clip_image006

 

http://blogs.msdn.com/b/mattlind/archive/2010/01/14/delegation-tab-in-aduc-not-available-until-a-spn-is-set.aspx

http://blogs.msdn.com/b/mattlind/archive/2010/01/14/delegation-tab-in-aduc-not-available-until-a-spn-is-set.aspx

http://technet.microsoft.com/en-us/library/cc739474(v=ws.10).aspx

http://blogs.msdn.com/b/mattlind/archive/2010/01/14/delegation-tab-in-aduc-not-available-until-a-spn-is-set.aspx

 

 

QUESTION 133

HOTSPOT

Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. All domain controllers run Windows Server 2012 R2 and are configured as DNS servers. All DNS zones are Active Directory-integrated. Active Directory Recycle Bin is enabled.

 

You need to modify the amount of time deleted objects are retained in the Active Directory Recycle Bin.

 

Which naming context should you use?

 

To answer, select the appropriate naming context in the answer area.

 

clip_image007

 

Correct Answer:

clip_image008

QUESTION 134

Your network contains an Active Directory forest named contoso.com. The forest functional level is Windows Server 2012 R2. The forest contains a single domain.

 

You create a Password Settings object (PSO) named PSO1.

 

You need to delegate the rights to apply PSO1 to the Active Directory objects in an organizational unit named OU1.

 

What should you do?

 

A.

From Active Directory Users and Computers, run the Delegation of Control Wizard.

B.

From Active Directory Administrative Center, modify the security settings of PSO1.

C.

From Group Policy Management, create a Group Policy object (GPO) and link the GPO to OU1.

D.

From Active Directory Administrative Center, modify the security settings of OU1.

 

Correct Answer: B

Explanation:

PSOs cannot be applied to organizational units (OUs) directly. If your users are organized into OUs, consider creating global security groups that contain the users from these OUs and then applying the newly defined finegrained password and account lockout policies to them. If you move a user from one OU to another, you must update user memberships in the corresponding global security groups.

Go ahead and hit “OK” and then close out of all open windows. Now that you have created a password policy, we need to apply it to a user/group. In order to do so, you must have “write” permissions on the PSO object. We’re doing this in a lab, so I’m Domain Admin.

Write permissions are not a problem:

1. Open Active Directory Users and Computers (Start, point to Administrative Tools, and then click Active Directory Users and Computers).

2. On the View menu, ensure that Advanced Features is checked.

3. In the console tree, expand Active Directory Users and ComputersyourdomainSystemPassword Settings Container

4. In the details pane, right-click the PSO, and then click Properties.

5. Click the Attribute Editor tab.

6. Select the msDS-PsoAppliesTo attribute, and then click Edit.

 

 

QUESTION 135

Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2. The domain contains two servers. The servers are configured as shown in the following table.

 

clip_image010

All client computers run Windows 8 Enterprise.

 

You plan to deploy Network Access Protection (NAP) by using IPSec enforcement.

 

A Group Policy object (GPO) named GPO1 is configured to deploy a trusted server group to all of the client computers.

 

You need to ensure that the client computers can discover HRA servers automatically.

 

Which three actions should
you perform? (Each correct answer presents part of the solution. Choose three.)

 

A.

On all of the client computers, configure the EnableDiscovery registry key.

B.

In a GPO, modify the Request Policy setting for the NAP Client Configuration.

C.

On Server2, configure the EnableDiscovery registry key.

D.

On DC1, create an alias (CNAME) record.

E.

On DC1, create a service location (SRV) record.

 

Correct Answer: ABE

Explanation:

Requirements for HRA automatic discovery

 

The following requirements must be met in order to configure trusted server groups on NAP client computers using HRA automatic discovery:

Client computers must be running Windows Vista® with Service Pack 1 (SP1) or Windows XP with Service Pack 3 (SP3).

The HRA server must be configured with a Secure Sockets Layer (SSL) certificate.

The EnableDiscovery registry key must be configured on NAP client computers.

DNS SRV records must be configured.

The trusted server group configuration in either local policy or Group Policy must be cleared.

 

http://technet.microsoft.com/en-us/library/dd296901.aspx

 

 

QUESTION 136

HOTSPOT

Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that has the Network Policy Server server role installed. The domain contains a server named Server2 that is configured for RADIUS accounting.

 

Server1 is configured as a VPN server and is configured to forward authentication requests to Server2.

 

You need to ensure that only Server2 contains event information about authentication requests from connections to Server1.

 

Which two nodes should you configure from the Network Policy Server console?

 

To answer, sel
ect the appropriate two nodes in the answer area.

 

clip_image012

 

Correct Answer:

clip_image014

QUESTION 137

Your network contains two Active Directory forests named contoso.com and adatum.com. The contoso.com forest contains a server named Server1.contoso.com. The adatum.com forest contains a server named server2. adatum.com. Both servers have the Network Policy Server role service installed.

 

The network contains a server named Server3. Server3 is located in the perimeter network and has the Network Policy Server role service installed.

 

You plan to configure Server3 as an authentication provider for several VPN servers.

 

You need to ensure that RADIUS requests received by Server3 for a specific VPN server are always forwarded to Server1.contoso.com.

 

Which two should you configure on Server3? (Each correct answer presents part of the solution. Choose two.)

 

A.

Remediation server groups

B.

Remote RADIUS server groups

C.

Connection request policies

D.

Network policies

E.

Connection authorization policies

 

Correct Answer: BC

Explanation:

To configure NPS as a RADIUS proxy, you must create a connection request policy that contains all of the information required for NPS to evaluate which messages to forward and where to send the messages.

 

When you configure Network Policy Server (NPS) as a Remote Authentication Dial-In User Service (RADIUS) proxy, you use NPS to forward connection requests to RADIUS servers that are capable of processing the connection requests because they can perform authentication and authorization in the domain where the user or computer account is located. For example, if you want to forward connection requests to one or more RADIUS servers in untrusted domains, you can configure NPS as a RADIUS proxy to forward the requests to the remote RADIUS servers in the untrusted domain. To configure NPS as a RADIUS proxy, you must create a connection request policy that contains all of the information required for NPS to evaluate which messages to forward and where to send the messages.

 

When you configure a remote RADIUS server group in NPS and you configure a connection request policy with the group, you are designating the location where NPS is to forward connection requests.

 

clip_image016

 

http://technet.microsoft.com/en-us/library/cc754518.aspx

http://technet.microsoft.com/en-us/library/cc754518.aspx

http://technet.microsoft.com/en-us/library/cc754518.aspx

 

 

QUESTION 138

Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Network Policy and Access Services server role installed.

 

Your company’s security policy requires that certificate-based authentication must be used by some network services.

 

You need to identify which Network Policy Server (NPS) authentication methods comply with the security policy.

 

Which two authentication methods should you identify? (Each correct answer presents part of the solution. Choose two.)

 

A.

MS-CHAP

B.

PEAP-MS-CHAP v2

C.

Chap

D.

EAP-TLS

E.

MS-CHAP v2

 

Correct Answer: BD

Explanation:

PEAP is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication, and uses server-side public key certificates to authenticate the server.

When you use EAP with a strong EAP type, such as TLS with smart cards or TLS with certificates, both the client and the server use certificates to verify their identities to each other.

 

 

QUESTION 139

Your network contains an Active Directory domain named adatum.com. The domain contains a file server named Server1 that runs Windows Server 2012 R2.

 

All client computers run Windows 7.

 

You need to ensure that user settings are saved to \Server1Users.

 

What should you do?

 

A.

From the properties of each user account, configure the Home folder settings.

B.

From a Group Policy object (GPO), configure the Folder Redirection settings.

C.

From the properties of each user account, configure the User profile settings.

D.

From a Group Policy object (GPO), configure the Drive Maps preference.

 

Correct Answer: C

Explanation:

If a computer is running Windows 2000 Server or later on a network, users can store their profiles on the server. These profiles are called roaming user profiles.

 

 

QUESTION 140

Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2.

 

An organizational unit (OU) named OU1 contains 200 client computers that run Windows 8 Enterprise. A Group Policy object (GPO) named GPO1 is linked to OU1.

 

You make a change to GPO1.

 

You need to force all of the computers in OU1 to refresh their Group Policy settings immediately. The solution must minimize administrative effort.

 

Which tool should you use?

 

A.

Server Manager

B.

Active Directory Users and Computers

C.

The Gpupdate command

D.

Group Policy Management Console (GPMC)

 

Correct Answer: D

Explanation:

Starting with Windows Server?2012 and Windows?8, you can now remotely refresh Group Policy settings for all computers in an OU from one central location through the Group Policy Management Console (GPMC). Or you can use the Invoke- GPUpdatecmdlet to refresh Group Policy for a set of computers, not limited to the OU structure, for example, if the computers are located in the default computers container.

 

clip_image018

clip_image020

clip_image022

 

http://technet.microsoft.com/en-us//library/jj134201.aspx

http://blogs.technet.com/b/grouppolicy/archive/2012/11/27/group-policy-in-windows-server-2012-using-remote-gpupdate.aspx

 

Free VCE & PDF File for Microsoft 70-411 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…