Q1. You have a server named Server1 that runs Windows Server 2012 R2. You create a Data Collector Set (DCS) named DCS1.
You need to configure DCS1 to log data to D:\logs.
What should you do?
A. Right-click DCS1 and click Properties.
B. Right-click DCS1 and click Export list.
C. Right-click DCS1 and click Data Manager.
D. Right-click DCS1 and click Save template.
Answer: A
Explanation:
The Root Directory will contain data collected by the Data Collector Set. Change this setting if you want to store your Data Collector Set data in a different location than the default. Browse to and select the directory, or type the directory name.
To view or modify the properties of a Data Collector Set after it has been created, you can:
* Select the Open properties for this data collector set check box at the end of the Data
Collector Set Creation Wizard.
* Right-click the name of a Data Collector Set, either in the MMC scope tree or in the
console window, and click Properties in the context menu.
Directory tab:
In addition to defining a root directory for storing Data Collector Set data, you can specify a
single Subdirectory or create a Subdirectory name format by clicking the arrow to the right
of the text entry field.
Q2. Your network contains an Active Directory domain named adatum.com.
You have a standard primary zone named adatum.com.
You need to provide a user named User1 the ability to modify records in the zone. Other users must be prevented from modifying records in the zone.
What should you do first?
A. Run the Zone Signing Wizard for the zone.
B. From the properties of the zone, modify the start of authority (SOA) record.
C. From the properties of the zone, change the zone type.
D. Run the New Delegation Wizard for the zone.
Answer: C
Explanation:
The Zone would need to be changed to a AD integrated zone When you use directory-integrated zones, you can use access control list (ACL) editing to secure a dnsZone object container in the directory tree. This feature provides detailed access to either the zone or a specified resource record in the zone. For example, an ACL for a zone resource record can be restricted so that dynamic updates are allowed only for a specified client computer or a secure group, such as a domain administrators group. This security feature is not available with standard primary zones.
DNS update security is available only for zones that are integrated into Active Directory. After you integrate a zone, you can use the access control list (ACL) editing features that are available in the DNS snap-in to add or to remove users or groups from the ACL for a specific zone or for a resource record.
Standard (not an Active Directory integrated zone) has no Security settings:
You need to firstly change the "Standard Primary Zone" to AD Integrated Zone:
Now there's Security tab:
References: http: //technet. microsoft. com/en-us/library/cc753014. aspx
http: //technet. microsoft. com/en-us/library/cc726034. aspx
http: //support. microsoft. com/kb/816101
Q3. Your network contains two Active Directory forests named contoso.com and adatum.com. The contoso.com forest contains a server named Server1.contoso.com. The adatum.com forest contains a server named server2. adatum.com. Both servers have the Network Policy Server role service installed.
The network contains a server named Server3. Server3 is located in the perimeter network and has the Network Policy Server role service installed.
You plan to configure Server3 as an authentication provider for several VPN servers.
You need to ensure that RADIUS requests received by Server3 for a specific VPN server are always forwarded to Server1.contoso.com.
Which two should you configure on Server3? (Each correct answer presents part of the solution. Choose two.)
A. Remediation server groups
B. Remote RADIUS server groups
C. Connection request policies
D. Network policies
E. Connection authorization policies
Answer: B,C
Explanation:
To configure NPS as a RADIUS proxy, you must create a connection request policy that contains all of the information required for NPS to evaluate which messages to forward and where to send the messages.
When you configure Network Policy Server (NPS) as a Remote Authentication Dial-In User Service (RADIUS) proxy, you use NPS to forward connection requests to RADIUS servers that are capable of processing the connection requests because they can perform authentication and authorization in the domain where the user or computer account is located. For example, if you want to forward connection requests to one or more RADIUS servers in untrusted domains, you can configure NPS as a RADIUS proxy to forward the requests to the remote RADIUS servers in the untrusted domain. To configure NPS as a RADIUS proxy, you must create a connection request policy that contains all of the information required for NPS to evaluate which messages to forward and where to send the messages.
When you configure a remote RADIUS server group in NPS and you configure a connection request policy with the group, you are designating the location where NPS is to forward connection requests.
References: http: //technet. microsoft. com/en-us/library/cc754518. aspx
http: //technet. microsoft. com/en-us/library/cc754518. aspx
http: //technet. microsoft. com/en-us/library/cc754518. aspx
Q4. HOTSPOT
You have a server named Server1 that has the Network Policy and Access Services server role installed.
You plan to configure Network Policy Server (NPS) on Server1 to use certificate-based authentication for VPN connections.
You obtain a certificate for NPS.
You need to ensure that NPS can perform certificate-based authentication.
To which store should you import the certificate?
To answer, select the appropriate store in the answer area.
Answer:
Q5. Your network contains an Active Directory domain named contoso.com. The domain contains six domain controllers. The domain controllers are configured as shown in the following table.
The network contains a server named Server1 that has the Hyper-v server role installed. DC6 is a virtual machine that is hosted on Server1.
You need to ensure that you can clone DC6.
Which FSMO role should you transfer to DC2?
A. Rid master
B. Domain naming master
C. PDC emulator
D. Infrastructure master
Answer: C
Explanation:
The clone domain controller uses the security context of the source domain controller (the domain controller whose copy it represents) to contact the Windows Server 2012 R2 Primary Domain Controller (PDC) emulator operations master role holder (also known as flexible single master operations, or FSMO). The PDC emulator must be running Windows
Server 2012 R2, but it does not have to be running on a hypervisor.
Reference:
http: //technet. microsoft. com/en-us/library/hh831734. aspx
Q6. Your network contains an Active Directory domain named contoso.com. The domain contains five servers. The servers are configured as shown in the following table.
All desktop computers in contoso.com run Windows 8 and are configured to use BitLocker Drive Encryption (BitLocker) on all local disk drives.
You need to deploy the Network Unlock feature. The solution must minimize the number of features and server roles installed on the network.
To which server should you deploy the feature?
A. Server1
B. Server2
C. Server3
D. Server4
E. Server5
Answer: E
Explanation:
The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the Windows Deployment Services role in Server Manager.
Q7. Your network contains a Network Policy Server (NPS) server named Server1. The network contains a server named SQL1 that has Microsoft SQL Server 2008 R2 installed. All servers run Windows Server 2012 R2.
You configure NPS on Server1 to log accounting data to a database on SQL1.
You need to ensure that the accounting data is captured if SQL1 fails. The solution must minimize cost.
What should you do?
A. Implement Failover Clustering.
B. Implement database mirroring.
C. Run the Accounting Configuration Wizard.
D. Modify the SQL Server Logging properties.
Answer: C
Explanation:
In Windows Server 2008 R2, an accounting configuration wizard is added to the Accounting node in the NPS console. By using the Accounting Configuration wizard, you can configure the following four accounting settings:
. SQL logging only. By using this setting, you can configure a data link to a SQL Server that allows NPS to connect to and send accounting data to the SQL server. In addition, the wizard can configure the database on the SQL Server to ensure that the database is compatible with NPS SQL server logging.
. Text logging only. By using this setting, you can configure NPS to log accounting data to a text file.
. Parallel logging. By using this setting, you can configure the SQL Server data link and database. You can also configure text file logging so that NPS logs simultaneously to the text file and the SQL Server database.
. SQL logging with backup. By using this setting, you can configure the SQL Server data link and database. In addition, you can configure text file logging that NPS uses if SQL Server logging fails.
Q8. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that has the Remote Access server role installed.
DirectAccess is implemented on Server1 by using the default configuration.
You discover that DirectAccess clients do not use DirectAccess when accessing websites on the Internet.
You need to ensure that DirectAccess clients access all Internet websites by using their DirectAccess connection.
What should you do?
A. Configure a DNS suffix search list on the DirectAccess clients.
B. Configure DirectAccess to enable force tunneling.
C. Disable the DirectAccess Passive Mode policy setting in the DirectAccess Client Settings Group Policy object (GPO).
D. Enable the Route all traffic through the internal network policy setting in the DirectAccess Server Settings Group Policy object (GPO).
Answer: B
Explanation:
With IPv6 and the Name Resolution Policy Table (NRPT), by default, DirectAccess clients separate their intranet and Internet traffic as follows:
. DNS name queries for intranet fully qualified domain names (FQDNs) and all intranet traffic is exchanged over the tunnels that are created with the DirectAccess server or directly with intranet servers. Intranet traffic from DirectAccess clients is IPv6 traffic.
. DNS name queries for FQDNs that correspond to exemption rules or do not match the intranet namespace, and all traffic to Internet servers, is exchanged over the physical interface that is connected to the Internet. Internet traffic from DirectAccess clients is typically IPv4 traffic.
In contrast, by default, some remote access virtual private network (VPN) implementations, including the VPN client, send all intranet and Internet traffic over the remote access VPN connection. Internet-bound traffic is routed by the VPN server to intranet IPv4 web proxy servers for access to IPv4 Internet resources. It is possible to separate the intranet and Internet traffic for remote access VPN clients by using split tunneling. This involves configuring the Internet Protocol (IP) routing table on VPN clients so that traffic to intranet locations is sent over the VPN connection, and traffic to all other locations is sent by using the physical interface that is connected to the Internet.
You can configure DirectAccess clients to send all of their traffic through the tunnels to the DirectAccess server with force tunneling. When force tunneling is configured, DirectAccess clients detect that they are on the Internet, and they remove their IPv4 default route. With the exception of local subnet traffic, all traffic sent by the DirectAccess client is IPv6 traffic that goes through tunnels to the DirectAccess server.
Q9. You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the File Server Resource Manager role service installed.
Each time a user receives an access-denied message after attempting to access a folder on Server1, an email notification is sent to a distribution list named DL1.
You create a folder named Folder1 on Server1, and then you configure custom NTFS permissions for Folder1.
You need to ensure that when a user receives an access-denied message while attempting to access Folder1, an email notification is sent to a distribution list named DL2. The solution must not prevent DL1 from receiving notifications about other access-denied messages.
What should you do?
A. From Server Manager, run the New Share Wizard to create a share for Folder1 by selecting the SMB Share - Advanced option.
B. From the File Server Resource Manager console, modify the Access-Denied Assistance settings.
C. From the File Server Resource Manager console, modify the Email Notifications settings.
D. From Server Manager, run the New Share Wizard to create a share for Folder1 by selecting the SMB Share -Applications option.
Answer: A
Reference: http://technet.microsoft.com/en-us/library/jj574182.aspx#BKMK_12
Explanation:
When using the email model each of the file shares, you can determine whether access requests to each file share will be received by the administrator, a distribution list that represents the file share owners, or both.
The owner distribution list is configured by using the SMB Share – Advanced file share profile in the New Share Wizard in Server Manager.
Q10. Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2.
Client computers run either Windows 7 or Windows 8. All of the client computers have an application named App1 installed.
The domain contains a Group Policy object (GPO) named GPO1 that is applied to all of the client computers.
You need to add a system variable named App1Data to all of the client computers.
Which Group Policy preference should you configure?
A. Environment
B. Ini Files
C. Data Sources
D. Services
Answer: A
Explanation:
Environment Variable preference items allow you to create, update, replace, and delete user and system environment variables or semicolon-delimited segments of the PATH variable. Before you create an Environment Variable preference item, you should review the behavior of each type of action possible with this extension.