Microsoft certification is an essential certification in the region of real information technological know-how. Even brand Microsoft is plenty regarding appealing your good chance for yourself. The particular Microsoft qualifications take a look at the condition of expertness that this unique boasts. The particular Microsoft is primarily aimed at improving the innovativeness with the professionals. These kinds of Microsoft certificationssuch as 70-411 transform your skills and change people into really qualified prospects with the place.
2021 Jan 70-411 testing engine
Q131. Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1 that runs Windows Server 2012 R2. DC1 is backed up daily.
The domain has the Active Directory Recycle Bin enabled.
During routine maintenance, you delete 500 inactive user accounts and 100 inactive groups. One of the deleted groups is named Group1. Some of the deleted user accounts are members of some of the deleted groups.
For documentation purposes, you must provide a list of the members of Group1 before the group was deleted.
You need to identify the names of the users who were members of Group1 prior to its deletion.
You want to achieve this goal by using the minimum amount of administrative effort.
What should you do first?
A. Mount the most recent Active Directory backup.
B. Reactivate the tombstone of Group1.
C. Perform an authoritative restore of Group1.
D. Use the Recycle Bin to restore Group1.
Answer: A
Explanation:
The Active Directory Recycle Bin does not have the ability to track simple changes to objects.
If the object itself is not deleted, no element is moved to the Recycle Bin for possible recovery in the future. In other words, there is no rollback capacity for changes to object properties, or, in other words, to the values of these properties.
Q132. HOTSPOT
Your network contains an Active Directory domain named contoso.com.
You need to create a certificate template for the BitLocker Drive Encryption (BitLocker) Network Unlock feature.
Which Cryptography setting of the certificate template should you modify? To answer, select the appropriate setting in the answer area.
Answer:
Q133. You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the File Server Resource Manager role service installed.
Each time a user receives an access-denied message after attempting to access a folder on Server1, an email notification is sent to a distribution list named DL1.
You create a folder named Folder1 on Server1, and then you configure custom NTFS permissions for Folder1.
You need to ensure that when a user receives an access-denied message while attempting to access Folder1, an email notification is sent to a distribution list named DL2. The solution must not prevent DL1 from receiving notifications about other access-denied messages.
What should you do?
A. From Server Manager, run the New Share Wizard to create a share for Folder1 by selecting the SMB Share - Advanced option.
B. From the File Server Resource Manager console, modify the Access-Denied Assistance settings.
C. From the File Server Resource Manager console, modify the Email Notifications settings.
D. From Server Manager, run the New Share Wizard to create a share for Folder1 by selecting the SMB Share -Applications option.
Answer: A
Reference: http://technet.microsoft.com/en-us/library/jj574182.aspx#BKMK_12
Explanation:
When using the email model each of the file shares, you can determine whether access requests to each file share will be received by the administrator, a distribution list that represents the file share owners, or both.
The owner distribution list is configured by using the SMB Share – Advanced file share profile in the New Share Wizard in Server Manager.
Q134. Your network contains an Active Directory domain named contoso.com.
Network Policy Server (NPS) is deployed to the domain.
You plan to deploy Network Access Protection (NAP).
You need to configure the requirements that are validated on the NPS client computers.
What should you do?
A. From the Network Policy Server console, configure a network policy.
B. From the Network Policy Server console, configure a health policy.
C. From the Network Policy Server console, configure a Windows Security Health Validator (WSHV) policy.
D. From a Group Policy object (GPO), configure the NAP Client Configuration security setting.
E. From a Group Policy object (GPO), configure the Network Access Protection Administrative Templates setting.
Answer: C
Q135. Your network contains an Active Directory domain named contoso.com. The domain contains six domain controllers named DC1, DC2, DC3, DC4, DC5, and DC6. Each domain controller has the DNS Server server role installed and hosts an Active Directory-integrated zone for contoso.com.
You plan to create a new Active Directory-integrated zone named litwareinc.com that will be used for testing.
You need to ensure that the new zone will be available only on DC5 and DCG.
What should you do first?
A. Change the zone replication scope.
B. Create an Active Directory connection object.
C. Create an Active Directory site link.
D. Create an application directory partition.
Answer: D
Explanation:
You can store Domain Name System (DNS) zones in the domain or application directory partitions of Active Directory Domain Services (AD DS). A partition is a data structure in AD DS that distinguishes data for different replication purposes. When you create an application directory partition for DNS, you can control the scope of replication for the zone that is stored in that partition.
Rebirth 70-411 test question:
Q136. HOTSPOT
Your network contains an Active Directory domain named contoso.com.
You have several Windows PowerShell scripts that execute when client computers start.
When a client computer starts, you discover that it takes a long time before users are prompted to log on.
You need to reduce the amount of time it takes for the client computers to start. The solution must not prevent scripts from completing successfully.
Which setting should you configure? To answer, select the appropriate setting in the answer area.
Answer:
Q137. You have a server named Server 1.
You enable BitLocker Drive Encryption (BitLocker) on Server 1.
You need to change the password for the Trusted Platform Module (TPM) chip.
What should you run on Server1?
A. Manage-bde.exe
B. Set-TpmOwnerAuth
C. bdehdcfg.exe
D. tpmvscmgr.exe
Answer: B
Explanation:
The Set-TpmOwnerAuthcmdlet changes the current owner authorization value of the Trusted Platform Module (TPM) to a new value. You can specify the current owner authorization value or specify a file that contains the current owner authorization value. If you do not specify an owner authorization value, the cmdlet attempts to read the value from the registry.
Use the ConvertTo-TpmOwnerAuthcmdlet to create an owner authorization value. You can specify a new owner authorization value or specify a file that contains the new value.
Q138. Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2. The functional level of both the domain and the forest is Windows Server 2008 R2.
The domain contains a domain-based Distributed File System (DFS) namespace that is configured as shown in the exhibit. (Click the Exhibit button.)
You need to enable access-based enumeration on the DFS namespace.
What should you do first?
A. Raise the domain functional level.
B. Raise the forest functional level.
C. Install the File Server Resource Manager role service on Server3 and Server5.
D. Delete and recreate the namespace.
Answer: D
Explanation:
Access-based enumeration is only supported on a Domain-based Namespace in Windows Server 2008 Mode. This type of Namespace requires a minimum Windows Server 2003 forest functional level and a minimum Windows Server 2008 domain functional level.
The exhibit indicates that the current namespace is a Domain-based Namespace in Windows Server 2000 Mode. To migrate a domain-based namespace from Windows 2000 Server mode to Windows Server 2008 mode, you must export the namespace to a file, delete the namespace, recreate it in Windows Server 2008 mode, and then import the namespace settings.
http://msdn.microsoft.com/en-us/library/cc770287.aspx http://msdn.microsoft.com/en-us/library/cc753875.aspx
Q139. You have the following Windows PowerShell Output.
You need to create a Managed Service Account.
What should you do?
A. Run New-ADServiceAccount –Name “service01” –DNSHostName service01.contoso.com –SAMAccountName service01.
B. Run New-AuthenticationPolicySilo, and then run New-ADServiceAccount –Name “service01” –DNSHostName service01.contoso.com.
C. Run Add-KDSRootKey, and then run New-ADServiceAccount –Name “service01” –DNSHostName service01.contoso.com.
D. Run Set-KDSConfiguration, and then run New-ADServiceAccount –Name “service01” –DNSHostName service01.contoso.com.
Answer: C
Explanation: From the exhibit we see that the required key does not exist. First we create this key, then we create the managed service account.
The Add-KdsRootKey cmdlet generates a new root key for the Microsoft Group Key Distribution Service (KdsSvc) within Active Directory (AD). The Microsoft Group KdsSvc generates new group keys from the new root key.
The New-ADServiceAccount cmdlet creates a new Active Directory managed service account.
Reference: New-ADServiceAccount
https://technet.microsoft.com/en-us/library/hh852236(v=wps.630).aspx
Reference: Add-KdsRootKey
ttps://technet.microsoft.com/en-us/library/jj852117(v=wps.630).aspx
Q140. You are a network administrator of an Active Directory domain named contoso.com.
You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the DHCP Server server role and the Network Policy Server role service installed.
You enable Network Access Protection (NAP) on all of the DHCP scopes on Server1.
You need to create a DHCP policy that will apply to all of the NAP non-compliant DHCP clients.
Which criteria should you specify when you create the DHCP policy?
A. The client identifier
B. The user class
C. The vendor class
D. The relay agent information
Answer: B
Explanation:
To configure a NAP-enabled DHCP server
On the DHCP server, click Start, click Run, in Open, type dhcpmgmt. smc, and then press ENTER.
In the DHCP console, open <servername>\IPv4.
Right-click the name of the DHCP scope that you will use for NAP client computers, and then click Properties.
On the Network Access Protection tab, under Network Access Protection Settings, choose Enable for this scope, verify that Use default Network Access Protection profile is selected, and then click OK.
In the DHCP console tree, under the DHCP scope that you have selected, right-click Scope Options, and then click Configure Options.
On the Advanced tab, verify that Default User Class is selected next to User class.
Select the 003 Router check box, and in IP Address, under Data entry, type the IP address for the default gateway used by compliant NAP client computers, and then click Add. Select the 006 DNS Servers check box, and in IP Address, under Data entry, type the IP address for each router to be used by compliant NAP client computers, and then click Add. Select the 015 DNS Domain Name check box, and in String value, under Data entry, type your organization's domain name (for example, woodgrovebank. local), and then click Apply. This domain is a full-access network assigned to compliant NAP clients. On the Advanced tab, next to User class, choose Default Network Access Protection Class. Select the 003 Router check box, and in IP Address, under Data entry, type the IP address for the default gateway used by noncompliant NAP client computers, and then click Add. This can be the same default gateway that is used by compliant NAP clients. Select the 006 DNS Servers check box, and in IP Address, under Data entry, type the IP address for each DNS server to be used by noncompliant NAP client computers, and then click Add. These can be the same DNS servers used by compliant NAP clients. Select the 015 DNS Domain Name check box, and in String value, under Data entry, type a name to identify the restricted domain (for example, restricted. Woodgrovebank. local), and then click OK. This domain is a restricted-access network assigned to noncompliant NAP clients. Click OK to close the Scope Options dialog box. Close the DHCP console.
Reference: http: //technet.microsoft.com/en-us/library/dd296905%28v=ws.10%29.aspx