Administering Windows Server 2012
Question No: 181 – (Topic 2)
Your network contains a single Active Directory domain named contoso.com. The domain contains a member server named Server1 that runs Windows Server 2012 R2.
Server1 has the Windows Server updates Services server role installed and is configured to download updates from the Microsoft Update servers.
You need to ensure that Server1 downloads express installation files from the Microsoft Update servers.
What should you do from the Update Services console?
From the Update Files and Languages options, configure the Update Files settings.
From the Automatic Approvals options, configure the Update Rules settings.
From the Products and Classifications options, configure the Products settings.
From the Products and Classifications options, configure the Classifications settings.
Answer: A Explanation:
To specify whether express installation files are downloaded during synchronization In the left pane of the WSUS Administration console, click Options.
In Update Files and Languages, click the Update Files tab.
If you want to download express installation files, select the Download express installation files check box. If you do not want to download express installation files, clear the check box.
http: //technet. microsoft. com/en-us/library/cc708431. aspx http: //technet. microsoft. com/en-us/library/cc708431. aspx
Question No: 182 – (Topic 2)
You have a DNS server that runs Windows Server 2012 R2. The server hosts the zone for contoso.com and is accessible from the Internet.
You need to create a DNS record for the Sender Policy Framework (SPF) to list the hosts that are authorized to send email for contoso.com.
Which type of record should you create?
mail exchanger (MX)
resource record signature (RRSIG)
name server (NS)
Question No: 183 – (Topic 2)
Your network contains an Active Directory domain named contoso.com. Network Policy Server (NPS) is deployed to the domain.
You plan to deploy Network Access Protection (NAP).
You need to configure the requirements that are validated on the NPS client computers. What should you do?
From the Network Policy Server console, configure a network policy.
From the Network Policy Server console, configure a health policy.
From the Network Policy Server console, configure a Windows Security Health Validator (WSHV) policy.
From a Group Policy object (GPO), configure the NAP Client Configuration security setting.
From a Group Policy object (GPO), configure the Network Access Protection
Administrative Templates setting.
Question No: 184 – (Topic 2)
Your network contains an Active Directory forest named contoso.com. The forest functional level is Windows Server 2012 R2. The forest contains a single domain.
You create a Password Settings object (PSO) named PSO1.
You need to delegate the rights to apply PSO1 to the Active Directory objects in an organizational unit named OU1.
What should you do?
From Active Directory Users and Computers, run the Delegation of Control Wizard.
From Active Directory Administrative Center, modify the security settings of PSO1.
From Group Policy Management, create a Group Policy object (GPO) and link the GPO to OU1.
From Active Directory Administrative Center, modify the security settings of OU1.
Answer: B Explanation:
PSOs cannot be applied to organizational units (OUs) directly. If your users are organized into OUs, consider creating global security groups that contain the users from these OUs and then applying the newly defined finegrained password and account lockout policies to them. If you move a user from one OU to another, you must update user memberships in the corresponding global security groups.
Go ahead and hit quot;OKquot; and then close out of all open windows. Now that you have created a password policy, we need to apply it to a user/group. In order to do so, you must have quot;writequot; permissions on the PSO object. We#39;re doing this in a lab, so I#39;m Domain Admin.
Write permissions are not a problem
Open Active Directory Users and Computers (Start, point to Administrative Tools, and then click Active Directory Users and Computers).
On the View menu, ensure that Advanced Features is checked.
In the console tree, expand Active Directory Users and Computers\yourdomain\System\Password Settings Container
In the details pane, right-click the PSO, and then click Properties.
Click the Attribute Editor tab.
Select the msDS-PsoAppliesTo attribute, and then click Edit.
Question No: 185 – (Topic 2)
Your network contains an Active Directory domain named contoso.com. The domain contains domain controllers that run Windows Server 2008, Windows Server 2008 R2 Windows Server 2012, and Windows Server 2012 R2.
A domain controller named DC1 runs Windows Server 2012 R2. DC1 is backed up daily. During routine maintenance, you delete a group named Group1.
You need to recover Group1 and identify the names of the users who were members of Group1 prior to its deletion. You want to achieve this goal by using the minimum amount of administrative effort.
What should you do first?
Perform an authoritative restore of Group1.
Mount the most recent Active Directory backup.
Use the Recycle Bin to restore Group1.
Reactivate the tombstone of Group1.
Answer: A Explanation:
The Active Directory Recycle Bin does not have the ability to track simple changes to objects. If the object itself is not deleted, no element is moved to the Recycle Bin for possible recovery in the future. In other words, there is no rollback capacity for changes to object properties, or, in other words, to the values of these properties.
There is another approach you should be aware of. Tombstone reanimation (which has nothing to do with zombies) provides the only way to recover deleted objects without taking a DC offline, and it#39;s the only way to recover a deleted object#39;s identity information, such as its objectGUID and objectSid attributes. It neatly solves the problem of recreating a deleted user or group and having to fix up all the old access control list (ACL) references, which
contain the objectSid of the deleted object.
Restores domain controllers to a specific point in time, and marks objects in Active Directory as being authoritative with respect to their replication partners.
Question No: 186 – (Topic 2)
You have a server named Server1 that runs Windows Server 2012 R2.
You need to configure Server1 to create an entry in an event log when the processor usage exceeds 60 percent.
Which type of data collector should you create?
An event trace data collector
A performance counter alert
A performance counter data collector
A configuration data collector
Answer: B Explanation:
Performance alerts notify you when a specified performance counter exceeds your configured threshold by logging an event to the event log. But rather than notifying you immediately when the counter exceeds the threshold, you can configure a time period over which the counter needs to exceed the threshold, to avoid unnecessary alerts.
Question No: 187 – (Topic 2)
You have a DNS server named Server1.
Server1 has a primary zone named contoso.com.
Zone Aging/Scavenging is configured for the contoso.com zone.
One month ago, an administrator removed a server named Server2 from the network.
You discover that a static resource record for Server2 is present in contoso.com. Resource records for decommissioned client computers are removed automatically from contoso.com.
You need to ensure that the static resource records for all of the servers are removed automatically from contoso.com.
What should you modify?
The Expires after value of contoso.com
The Record time stamp value of the static resource records
The time-to-live (TTL) value of the static resource records
The Security settings of the static resource records
Answer: B Explanation:
Reset and permit them to use a current (non-zero) time stamp value. This enables these records to become aged and scavenged.
You can use this procedure to change how a specific resource record is scavenged.
A stale record is a record where both the No-Refresh Interval and Refresh Interval have passed without the time stamp updating.
Depending on the how the resource record was originally added to the zone, do one of the following:
If the record was added dynamically using dynamic update, clear the Delete this record when it becomes stale check box to prevent its aging or potential removal during the scavenging process. If dynamic updates to this record continue to occur, the Domain Name System (DNS) server will always reset this check box so that the dynamically updated record can be deleted.
If you added the record statically, select the Delete this record when it becomes stale check box to permit its aging or potential removal during the scavenging process.
http: //technet. microsoft. com/en-us/library/cc759204(v=ws. 10). aspx
http: //technet. microsoft. com/en-us/library/cc759204(v=ws. 10). aspx
Typically, stale DNS records occur when a computer is permanently removed from the network. Mobile users who abnormally disconnect from the network can also cause stale DNS records. To help manage stale records, Windows adds a time stamp to dynamically added resource records in primary zones where aging and scavenging are enabled.
Manually added records are time stamped with a value of 0, and they are automatically excluded from the aging and scavenging process.
To enable aging and scavenging, you must do the following:
Resource records must be either dynamically added to zones or manually modified to be used in aging and scavenging operations.
Scavenging and aging must be enabled both at the DNS server and on the zone. Scavenging is disabled by default.
DNS scavenging depends on the following two settings:
No-refresh interval: The time between the most recent refresh of a record time stamp and the moment when the time stamp can be refreshed again. When scavenging is enabled, this is set to 7 days by default.
Refresh interval: The time between the earliest moment when a record time stamp can be refreshed and the earliest moment when the record can be scavenged. The refresh interval must be longer than the maximum record refresh period. When scavenging is enabled, this is set to 7 days by default.
A DNS record becomes eligible for scavenging after both the no-refresh and refresh intervals have elapsed. If the default values are used, this is a total of 14 days.
http: //technet. microsoft. com/en-us/library/cc759204(v=ws. 10). aspx http: //technet. microsoft. com/en-us/library/cc759204(v=ws. 10). aspx http: //technet. microsoft. com/en-us/library/cc771570. aspx
http: //technet. microsoft. com/en-us/library/cc771677. aspx
http: //technet. microsoft. com/en-us/library/cc758321(v=ws. 10). aspx
Question No: 188 HOTSPOT – (Topic 2)
Your network contains an Active Directory domain named contoso.com.
You need to create a certificate template for the BitLocker Drive Encryption (BitLocker) Network Unlock feature.
Which Cryptography setting of the certificate template should you modify? To answer, select the appropriate setting in the answer area.
Question No: 189 HOTSPOT – (Topic 2)
Your network contains an Active Directory domain named contoso.com. The domain contains 30 user accounts that are used for network administration. The user accounts are members of a domain global group named Group1.
You identify the security requirements for the 30 user accounts as shown in the following table.
You need to identify which settings must be implemented by using a Password Settings object (PSO) and which settings must be implemented by modifying the properties of the user accounts.
What should you identify? To answer, configure the appropriate settings in the dialog box in the answer area.
Box 1: PSO
Box 2: User Account Properties Box 3: User Account Properties Box 4: PSO
Password Setting Object (PSO) is another name for Fine Grain Password Policies.
Here you can see all the settings that go into a PSO.
Question No: 190 – (Topic 2)
You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the Remote Access server role installed.
On Server1, you create a network policy named Policy1.
You need to configure Policy1 to ensure that users are added to a VLAN. Which attributes should you add to Policy1?
Tunnel-Tag, Tunnel-Password, Tunnel-Medium-Type, and Tunnel-Preference
Tunnel-Tag, Tunnel-Server-Auth-ID, Tunnel-Preference, and Tunnel-Pvt-Group-ID
Tunnel-Type, Tunnel-Tag, Tunnel-Medium-Type, and Tunnel-Pvt-Group-ID
Tunnel-Type, Tunnel-Password, Tunnel-Server-Auth-ID, and Tunnel-Pvt-Group-ID
VLAN attributes used in network policy
When you use network hardware, such as routers, switches, and access controllers that support virtual local area networks (VLANs), you can configure Network Policy Server (NPS) network policy to instruct the access servers to place members of Active Directory庐 groups on VLANs.
Before configuring network policy in NPS for VLANs, create groups of users in Active Directory Domain Services (AD DS) that you want to assign to specific VLANs. Then when you run the New Network Policy wizard, add the Active Directory group as a condition of the network policy.
You can create a separate network policy for each group that you want to assign to a VLAN. For more information, see Create a Group for a Network Policy. When you configure network policy for use with VLANs, you must configure the RADIUS standard attributes Tunnel-Medium-Type, Tunnel-Pvt-Group-ID, and Tunnel-Type. Some hardware vendors also require the use of the RADIUS standard attribute Tunnel-Tag.
To configure these attributes in a network policy, use the New Network Policy wizard to create a network policy. You can add the attributes to the network policy settings while running the wizard or after you have successfully created a policy with the wizard.
-> Tunnel-Medium-Type. Select a value appropriate to the previous selections you
made while running the New Network Policy wizard. For example, if the network policy you are configuring is a wireless policy, in Attribute Value, select 802 (Includes all 802 media plus Ethernet canonical format).
-> Tunnel-Pvt-Group-ID. Enter the integer that represents the VLAN number to which
group members will be assigned. For example, if you want to create a Sales VLAN for your sales team by assigning team members to VLAN 4, type the number 4.
-> Tunnel-Type. Select the value Virtual LANs (VLAN).
-> Tunnel-Tag. Some hardware devices do not require this attribute. If your hardware device requires this attribute, obtain this value from your hardware documentation.