Q1. - (Topic 3)
What should you do for server core so it can be managed from another server 2012 R2?
A. 1
B. 2
C. 3
D. 4
E. 5
F. 6
G. 7
H. 8
I. 9
J. 10
K. 11
L. 12
M. 13
N. 14
O. 15
Answer: A
Explanation:
You should join the server to the domain first. You can add workgroup servers to Server Manager on a domain joined server, however, you must first add the workgroup computer to the Trusted Hosts list using "Set-Item wsman:\localhost\Client\TrustedHostsWorkgroupServerName -Concatenate -Force"
Q2. - (Topic 3)
Your network contains an Active Directory domain named contoso.com.
You discover that when you join client computers to the domain manually, the computer accounts are created in the Computers container.
You need to ensure that new computer accounts are created automatically in an organizational unit (OU) named Corp.
Which tool should you use?
A. net.exe
B. redircmp.exe
C. regedit.exe
D. dsadd.exe
Answer: B
Explanation:
A. Used to stop/start protocols
B. Redirects the default container for newly created computers to a specified, target
organizational unit
C. Modify local registry entries
D. Adds specific types of objects to the directory
Redirects the default container for newly created computers to a specified, target
organizational unit (OU) so that newly created computer objects are created in the specific
target OU instead of in CN=Computers.
You must run the redircmp command from an elevated command prompt.
Redircmp.exe is located in the C:\Windows\System32 folder.
You must be a member of the Domain Admins group or the Enterprise Admins group to
use this tool.
Q3. - (Topic 3)
Your network contains an Active Directory domain named contoso.com.
You have a starter Group Policy object (GPO) named GPO1 that contains more than 100
settings.
You need to create a new starter GPO based on the settings in GPO1.
You must achieve this goal by using the minimum amount of administrative effort.
What should you do?
A. Run the New-GPStarterGPO cmdlet and the Copy-GPO cmdlet.
B. Create a new starter GPO and manually configure the policy settings of the starter GPO.
C. Right-click GPO1, and then click Back Up. Create a new starter GPO. Right-click the new GPO, and then click Restore from Backup.
D. Right-click GPO1, and then click Copy. Right-click Starter GPOs, and then click Paste.
Answer: B
Explanation:
Although GPOs and Starter GPOs can both be copied, and a Starter GPO can be used to create a new GPO (as that is their purpose), an existing GPO cannot be copied to a new Starter GPO (unfortunately).
Q4. - (Topic 1)
Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. The domain contains two domain controllers named DC1 and DC2 that run Windows Server 2012 R2.
The domain contains a user named User1 and a global security group named Group1.
You need to prevent User1 from changing his password. The solution must minimize administrative effort.
Which cmdlet should you run?
A. Add-AdPrincipalGroupMembership
B. Install-AddsDomainController
C. Install-WindowsFeature
D. Install-AddsDomain
E. Rename-AdObject
F. Set-AdAccountControl
G. Set-AdGroup
H. Set-User
Answer: F
Explanation:
The Set-ADAccountControlcmdlet modifies the user account control (UAC) values for an Active Directory user or computer account. UAC values are represented by cmdlet parameters. CannotChangePassword Modifies the ability of an account to change its password. To disallow password change by the account set this to $true. This parameter changes the Boolean value of the CannotChangePassword property of an account. The following example shows how to specify the PasswordCannotChange parameter. -CannotChangePassword $false
References:
http://technet.microsoft.com/en-us/library/ee617249.aspx http://technet.microsoft.com/en-us/library/hh974723.aspx http://technet.microsoft.com/en-us/library/hh974722.aspx
Q5. - (Topic 3)
Your network contains an Active Directory domain named contoso.com.
You need to prevent users from installing a Windows Store app named App1.
What should you create?
A. An application control policy executable rule
B. An application control policy packaged app rule
C. A software restriction policy certificate rule
D. An application control policy Windows Installer rule
Answer: B
Explanation:
Windows 8 is coming REALLY SOON and of course one of the big new things to computer with that is the new Packaged Apps that run in the start screen. However these apps are very different and do not install like traditional apps to a path or have a true “executable” file to launch the program. Of course enterprises need a way to control these packaged apps and therefore Microsoft has added a new feature Packaged Apps option to the App1ocker feature.
A. For .exe or .com
B. A publisher rule for a Packaged app is based on publisher, name and version
C. You can create a certificate rule that identifies software and then allows or does not allow the software to run, depending on the security level.
D. For .msi or .msp Packaged apps (also known as Windows 8 apps) are new to Windows Server 2012 R2 and Windows 8. They are based on the new app model that ensures that all the files within an app package share the same identity. Therefore, it is possible to control the entire Application using a single App1ocker rule as opposed to the non-packaged apps where each file within the app could have a unique identity. Windows does not support unsigned packaged apps which implies all packaged apps must be signed. App1ocker supports only publisher rules for Packaged apps. A publisher rule for a packaged app is based on the following information: Publisher of the package Package name Package version Therefore, an App1ocker rule for a Packaged app controls both the installation as well as the running of the app. Otherwise, the publisher rules for Packaged apps are no different than the rest of the rule collections; they support exceptions, can be increased or decreased in scope, and can be assigned to users and groups.
Q6. - (Topic 1)
Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2. A server named Server1 is configured to encrypt all traffic by using IPSec.
You need to ensure that Server1 can respond to ping requests from computers that do not support IPSec.
What should you do?
A. From a command prompt, run netsh set global
autotuninglevel = highlyrestrictedcongestionprovider=none.
B. From a command prompt, run netsh set global autotuninglevel = restricted congestionprovider = ctcp.
C. From Windows Firewall with Advanced Security, allow unicast responses for the Domain Profile.
D. From Windows Firewall with Advanced Security, exempt ICMP from IPSec.
Answer: D
Q7. - (Topic 3)
Your network contains an Active Directory domain named contoso.com. The domain contains a member server named HVServer1. HVServer1 runs Windows Server 2012 and has the Hyper-V server role installed. HVServer1 hosts 10 virtual machines. All of the virtual machines connect to a virtual switch named Switch1. Switch1 is configured as a private network. All of the virtual machines have the DHCP guard and the router guard settings enabled.
You install the DHCP server role on a virtual machine named Server 1. You authorize Server1 as a DHCP server in contoso.com. You create an IP scope.
You discover that the virtual machines connected to Switch1 do not receive IP settings from Server1.
You need to ensure that the virtual machines can use Server1 as a DHCP server.
What should you do?
A. Enable MAC address spoofing on Server1.
B. Disable the DHCP guard on all of the virtual machines that are DHCP clients.
C. Disable the DHCP guard on Server1.
D. Enable single-root I/O virtualization (SR-IOV) on Server1.
Answer: C
Explanation:
Private virtual networks are used where you want to allow communications between virtual machine to virtual machine on the same physical server in a block diagram, a private network is an internal network without a virtual NIC in the parent partition. A private network would commonly be used where you need complete isolation of virtual machines from external and parent partition traffic. DMZ workloads running on a leg of a trihomed firewall, or an isolated test domain are examples where this type of network may be useful.
Q8. - (Topic 3)
You work as an administrator at Contoso.com. The Contoso.com network consists of two Active Directory forests, named Contoso.com and test.com. There is no trust relationship configured between the forests.
A backup of Group Policy object (GPO) from the test.com domain is stored on a domain controller in the Contoso.com domain.
You are informed that a GPO must be created in the Contoso.com domain, and must be based on the settings of the GPO in the test.com domain.
You start by creating the new GPO using the New-GPO Windows PowerShell cmdlet. You want to complete the task via a Windows PowerShell cmdlet.
Which of the following actions should you take?
A. You should consider making use of the Invoke-GPUpdate Windows PowerShell cmdlet.
B. You should consider making use of the Copy-GPO Windows PowerShell cmdlet.
C. You should consider making use of the New-GPLink Windows PowerShell cmdlet.
D. You should consider making use of the Import-GPO Windows PowerShell cmdlet.
Answer: D
Explanation:
Import-GPO -Imports the Group Policy settings from a backed-up GPO into a specified GPO.
Q9. - (Topic 2)
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2.Server1 has the Hyper-V server role installed. Server1 has a virtual switch named RDS Virtual.
You replace all of the network adapters on Server1 with new network adapters that support single-root I/O visualization (SR-IOV).
You need to enable SR-IOV for all of the virtual machines on Server1.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. On each virtual machine, modify the Advanced Features settings of the network adapter.
B. Modify the settings of the RDS Virtual virtual switch.
C. On each virtual machine, modify the BIOS settings.
D. Delete, and then recreate the RDS Virtual virtual switch.
E. On each virtual machine, modify the Hardware Acceleration settings of the network adapter.
Answer: D,E
Explanation:
The first step when allowing a virtual machine to have connectivity to a physical network is to create an external virtual switch using Virtual Switch Manager in Hyper-V Manager. The additional step that is necessary when using SR-IOV is to ensure the checkbox is checked when the virtual switch is being created. It is not possible to change a “non SR-IOV mode” external virtual switch into an “SR-IOV mode” switch. The choice must be made a switch creation time. Thus you should first delete the existing virtual switch and then recreate it.
E: Once a virtual switch has been created, the next step is to configure a virtual machine.
SR-IOV in Windows Server “8” is supported on x64 editions of Windows “8” as a guest operating system (as in Windows “8” Server, and Windows “8” client x64, but not x86 client).We have rearranged the settings for a virtual machine to introduce sub-nodes under a network adapter, one of which is the hardware acceleration node. At the bottom is a checkbox to enable SR-IOV.