Q111. - (Topic 3)
You need to ensure that NAP meets the technical requirements.
Which role services should you install?
A. Network Policy Server, Health Registration Authority and Host Credential Authorization Protocol
B. Health Registration Authority, Host Credential Authorization Protocol and Online Responder
C. Certification Authority, Network Policy Server and Health Registration Authority
D. Online Responder, Certification Authority and Network Policy Server
Answer: C
Explanation:
D:\Documents and Settings\useralbo\Desktop\1.jpg
Health Registration Authority Applies To: Windows Server 2008 R2, Windows Server 2012 Health Registration Authority (HRA) is a component of a Network Access Protection (NAP) infrastructure that plays a central role in NAP Internet Protocol security (IPsec) enforcement. HRA obtains health certificates on behalf of NAP clients when they are compliant with network health requirements. These health certificates authenticate NAP clients for IPsec-protected communications with other NAP clients on an intranet. If a NAP client does not have a health certificate, the IPsec peer authentication fails and the NAP client cannot initiate communication with other IPsec-protected computers on the network. HRA is installed on a computer that is also running Network Policy Server (NPS) and Internet Information Services (IIS). If they are not already installed, these services will be added when you install HRA. http://technet.microsoft.com/en-us/library/cc732365.aspx
Topic 4, Northwind Traders (A)
Overview
Northwind Traders is a retail company.
The company has offices in Montreal and San Diego. The office in Montreal has 1,000 client computers. The office in San Diego has 100 computers. The computers in the San Diego office are often replaced. The offices connect to each other by using a slow WAN link. Each office connects directly to the Internet.
Existing Environment
Active Directory Environment
The network contains an Active Directory forest named northwindtraders.com. The forest contains two domains named northwindtraders.com and west.northwindtraders.com. All servers run Windows Server 2012 R2.
All client computers run Windows 7.
Each office is configured as an Active Directory site. The site in the Montreal office is named Site1. The site in the San Diego office is named Site2.
The forest contains four domain controllers. The domain controllers are configured as shown in the following table.
DC1, DC2, and DC3 are writable domain controllers. R0DC1 is read-only domain controller
(RODC). All DNS zones are Active Directory-integrated. All zones replicate to all of the
domain controllers.
All of the computers in the San Diego office are configured to use RODC1 as their only
DNS server.
The northwindtraders.com domain contains a Group Policy object (GPO) named GPO1.
GP01 is applied to all of the users in the Montreal office.
All of the user accounts for the Montreal users are in the northwindtraders.com domain. All
of the user accounts for the San Diego users are in the west.northwindtraders.com domain.
Network Environment
Site1 contains the member servers in the northwindtraders.com domain shown in the following table.
Server1 connects to SAN storage that supports Offloaded Data Transfer (ODX). All virtual hard disks (VHDs) are stored on the SAN.
A web application named App1 is installed on Servers.
Server3 has a shared folder that contains sales reports. The sales reports are read frequently by the users in both offices. The reports are generated automatically once per week by an enterprise resource planning (ERP) system.
A perimeter network in the Montreal office contains two standalone servers. The servers
are configured as shown in the following table.
The servers in the perimeter network are accessible from the Internet by using a domain name suffix of public.northwindtraders.com.
Each administrator has a management computer that runs Windows 8.1.
Requirements Planned Changes
Northwind Traders plans to implement the following changes:
On Server1, create four virtual machines that run Windows Server 2012 R2. The servers will be configured as shown in the following table.
Configure IP routing between Site1 and the network services that Northwind
Traders hosts in Windows Azure.
Place a domain controller for the northwindtraders.com domain in Windows Azure.
Upgrade all of the computers in the Montreal office to Windows 8.1.
Purchase a subscription to Microsoft Office 365.
Configure a web application proxy on Server6.
Configure integration between VMM and IPAM.
Apply GPO1 to all of the San Diego users.
Connect Site1 to Windows Azure.
Technical Requirements
Northwind Traders must meet the following technical requirements:
All virtual machines must use ODX.
Users must be able to access App1 from the Internet.
GPO1 must not be applied to computers that run Windows 8.1.
All DNS zones must replicate only to DC1, DC2, and DC3.
All computers must be able to resolve names by using a local DNS server.
If a WAN link fails, users must be able to access all of the sales reports.
The credentials for accessing Windows Azure must be permanently stored.
The on-premises network must be connected to Windows Azure by using Server4.
The administrators must be able to manage Windows Azure by using Windows PowerShell.
The number of servers and services deployed in the San Diego office must be minimized.
Active Directory queries for the objects in the forest must not generate WAN traffic, whenever possible.
Security Requirements
Northwind Traders identifies the following security requirements:
Ensure that all DNS zone data is encrypted when it is replicated.
Minimize the number of permissions assigned to users and administrators, whenever possible. Prevent an Active Directory Domain Services (AD DS) attribute named SSNumber from replicating to Site2.
Ensure that users can use their northwindtraders.com user account to access the resources hosted in Office 365.
Prevent administrators from being required to re-enter their credentials when they manage Windows Azure from approved management computers.
Q112. - (Topic 9)
A new company registers the domain name of contoso.com. The company has a web presence on the Internet. All Internet resources have names that use a DNS suffix of contoso.com.
A third-party hosts the Internet resources and is responsible for managing the contoso.com DNS zone on the Internet. The zone contains several hundred records.
The company plans to deploy an Active Directory forest.
You need to recommend an Active Directory forest infrastructure to meet the following requirements:
. Ensure that users on the internal network can resolve the names of the company's Internet resources.
. Minimize the amount of administrative effort associated with the addition of new Internet servers.
What should you recommend?
A. A forest that contains a single domain named contoso.local
B. A forest that contains a root domain named contoso.com and another domain named contoso.local
C. A forest that contains a root domain named contoso.com and another domain named ad.contoso.com
D. A forest that contains a single domain named contoso.com
Answer: A
Q113. - (Topic 9)
Your network contains a Hyper-V host named Host1 that runs Windows Server 2012. Host1 contains a virtual machine named DC1. DC1 is a domain controller that runs Windows Server 2012.
You plan to clone DC1.
You need to recommend which steps are required to prepare DC1 to be cloned.
What should you include in the recommendation? (Each correct answer presents part of the solution. Choose all that apply.)
A. Run dcpromo.exe /adv.
B. Create a file named Dccloneconfig.xml.
C. Add DC1 to the Cloneable Domain Controllers group.
D. Run sysprep.exe /oobe.
E. Run New-VirtualDiskClone.
Answer: B,C
Explanation:
http://blogs.technet.com/b/askpfeplat/archive/2012/10/01/virtual-domain-controller-cloning-in-windowsserver-2012.aspx DCCloneConfig.xml is an XML configuration file that contains all of the settings the cloned DC will take when it boots. This includes network settings, DNS, WINS, AD site name, new DC name and more. This file can be generated in a few different ways. There's a new group in town. It's called Cloneable Domain Controllers and you can find it in the Users container. Membership in this group dictates whether a DC can or cannot be cloned. This group has some permissions set on the domain head that should not be removed. Removing these permissions will cause cloning to fail. Also, as a best practice, DCs shouldn't be added to the group until you plan to clone and DCs should be removed from the group once cloning is complete. Cloned DCs will also end up in the Cloneable Domain Controllers group. Make sure to remove those as well
Q114. - (Topic 10)
Your network contains an Active Directory domain named contoso.com.
You plan to deploy an Active Directory Federation Services (AD FS) farm that will contain eight federation servers.
You need to identify which technology or technologies must be deployed on the network before you install the federation servers.
Which technology or technologies should you identify? (Each correct answer presents part of the solution. Choose all that apply.)
A. Network Load Balancing (NLB)
B. Microsoft Forefront Identity Manager (FIM) 2010
C. The Windows Internal Database feature
D. Microsoft SQL Server 2012
E. The Windows Identity Foundation 3.5 feature
Answer: A,D
Explanation: Best practices for deploying a federation server farm We recommend the following best practices for deploying a federation server in a production environment:
* (A) Use NLB or some other form of clustering to allocate a single IP address for many federation server computers.
* (D) If the AD FS configuration database will be stored in a SQL database, avoid editing the SQL database from multiple federation servers at the same time.
* If you will be deploying multiple federation servers at the same time or you know that you
will be adding more servers to the farm over time, consider creating a server image of an existing federation server in the farm and then installing from that image when you need to create additional federation servers quickly.
* Reserve a static IP address for each federation server in the farm and, depending on your Domain Name System (DNS) configuration, insert an exclusion for each IP address in Dynamic Host Configuration Protocol (DHCP). Microsoft NLB technology requires that each server that participates in the NLB cluster be assigned a static IP address.
Reference: When to Create a Federation Server Farm
Q115. - (Topic 3)
You need to recommend an IPAM management solution for the Operators groups. The solution must meet the technical requirements.
What should you include in the recommendation?
A. Run the Invoke-IpamGpoProvisioningcmdlet in all three domains. Add the computers used by the members of the Operators group to the IPAM server.
B. Modify the membership of the IPAM Administrators group and the WinRMRemoteWMIUsers_ group on the IPAM server.
C. Run the Set-IpamConfigurationcmdlet and modify the membership of the WinRMRemoteWMRJsers_ group on the IPAM server.
D. Run the Set-IpamConfigurationcmdlet on the IPAM server. Run the Invoke-IpamGpoProvisioningcmdlet in all three domains.
Answer: B
Explanation:
D:\Documents and Settings\useralbo\Desktop\1.jpg
Q116. - (Topic 10)
Your network contains five servers that run Windows Server 2012 R2.
You install the Hyper-V server role on the servers. You create an external virtual network switch on each server.
You plan to deploy five virtual machines to each Hyper-V server. Each virtual machine will have a virtual network adapter that is connected to the external virtual network switch and that has a VLAN identifier of 1.
Each virtual machine will run Windows Server 2012 R2. All of the virtual machines will run the identical web application.
You plan to install the Network Load Balancing (NLB) feature on each virtual machine and join each virtual machine to an NLB cluster. The cluster will be configured to use unicast only.
You need to ensure that the NLB feature can distribute connections across all of the virtual machines.
Solution: From the properties of each virtual machine, you enable MAC address spoofing for the existing virtual network adapter.
Does this meet the goal?
A. Yes
B. No
Answer: A
Q117. DRAG DROP - (Topic 10)
Your network contains an Active Directory domain named contoso.com. The domain contains two domain controllers named DC1 and DC2. The domain contains a server named Server1.
Server1 is a certification authority (CA). All servers run Windows Server 2012 R2.
You plan to deploy BitLocker Drive Encryption (BitLocker) to all client computers. The unique identifier for your organization is set to Contoso.
You need to ensure that you can recover the BitLocker encrypted data by using a BitLocker data recovery agent. You must be able to perform the recovery from any administrative computer.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Answer:
Q118. - (Topic 9)
Your network contains an Active Directory domain named contoso.com. The domain contains an organizational unit (OU) named OU1.
You have a Group Policy object (GPO) named GPO1 that is linked to contoso.com. GPO1 contains custom security settings.
You need to design a Group Policy strategy to meet the following requirements:
. The security settings in GPO1 must be applied to all client computers.
. Only GPO1 and other GPOs that are linked to OU1 must be applied to the client computers in OU1.
What should you include in the design?
More than one answer choice may achieve the goal. Select the BEST answer.
A. Enable the Block Inheritance option at the domain level. Enable the Enforced option on GPO1.
B. Enable the Block Inheritance option on OU1. Link GPO1 to OU1.
C. Enable the Block Inheritance option on OU1. Enable the Enforced option on all of the GPOs linked to OU1.
D. Enable the Block Inheritance option on OU1. Enable the Enforced option on GPO1.
Answer: D
Q119. - (Topic 9)
Your network contains an Active Directory domain. All servers run Windows Server 2012 R2.
The domain contains the servers shown in the following table.
You need to recommend which servers will benefit most from implementing data deduplication.
Which servers should you recommend?
A. Server1 and Server2
B. Server1 and Server3
C. Server1 and Server4
D. Server2 and Server3
E. Server2 and Server4
F. Server3 and Server4
Answer: D
Q120. HOTSPOT - (Topic 7)
You need to recommend which setting must be applied to the virtualization infrastructure of Northwind Traders to minimize the impact of multiple virtual machines starting concurrently.
What command should you recommend running? To answer, select the appropriate options in the answer area.
Answer: