Q1. Your network contains an Active Directory domain named contoso.com. The domain
contains three servers named Server1, Server2, and Server3 that run Windows Server 2012 R2. All three servers have the Hyper-V server role installed and the Failover Clustering feature installed.
Server1 and Server2 are nodes in a failover cluster named Cluster1. Several highly available virtual machines run on Cluster1. Cluster1 has the Hyper-V Replica Broker role installed. The Hyper-V Replica Broker currently runs on Server1.
Server3 currently has no virtual machines.
You need to configure Cluster1 to be a replica server for Server3 and Server3 to be a replica server for Cluster1.
Which two tools should you use? (Each correct answer presents part of the solution. Choose two.)
A. The Hyper-V Manager console connected to Server3
B. The Failover Cluster Manager console connected to Server3
C. The Hyper-V Manager console connected to Server1.
D. The Failover Cluster Manager console connected to Cluster1
E. The Hyper-V Manager console connected to Server2
Answer: A,D
Explanation:
A. To configure the Replica server [on a server that is not part of a cluster which in this case is Server3] In Hyper-V Manager, click Hyper-V Settings in the Actions pane. In the Hyper-V Settings dialog, click Replication Configuration.
In the Details pane, select Enable this computer as a Replica server. Etc.
D. To configure a Replica server that is part of a failover cluster.
1. In Server Manager, open Failover Cluster Manager.
2. In the left pane, connect to the cluster, and while the cluster name is highlighted, click Roles in the Navigate category of the Details pane.
3. Right-click the role and choose Replication Settings.
4. In the Details pane, select Enable this cluster as a Replica server. Etc.
Reference: Deploy Hyper-V Replica , Step 2: Enable Replication
http://technet.microsoft.com/en-us/library/jj134240.aspx
Q2. Your network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2. All servers run Windows Server 2012 R2.
Server1 and Server2 have the Failover Clustering feature installed. The servers are configured as nodes in a failover cluster named Cluster1.
You configure File Services and DHCP as clustered resources for Cluster1. Server1 is the active node for both clustered resources.
You need to ensure that if two consecutive heartbeat messages are missed between Server1 and Server2, Server2 will begin responding to DHCP requests. The solution must ensure that Server1 remains the active node for the File Services clustered resource for up to five missed heartbeat messages.
What should you configure?
A. Affinity-None
B. Affinity-Single
C. The cluster quorum settings
D. The failover settings
E. A file server for general use
F. The Handling priority
G. The host priority
H. Live migration
I. The possible owner
J. The preferred owner
K. Quick migration
L. the Scale-Out File Server
Answer: D
Explanation:
The number of heartbeats that can be missed before failover occurs is known as the heartbeat threshold. Heartbeat threshold is failover clustering setting.
Reference: Tuning Failover Cluster Network Thresholds
http://technet.microsoft.com/en-us/library/dn265972.aspx
http://technet.microsoft.com/en-us/library/dd197562(v=ws.10).aspx
http://blogs.msdn.com/b/clustering/archive/2012/11/21/10370765.aspx
Q3. HOTSPOT
Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2.
The domain contains two domain controllers. The domain controllers are configured as shown in the following table.
On DC1, you create an Active Directory-integrated zone named Zone1. You verify that
Zone1 replicates to DC2.
You use DNSSEC to sign Zone1.
You discover that the updates to Zone1 fail to replicate to DC2.
You need to ensure that Zone1 replicates to DC2.
What should you configure on DC1?
To answer, select the appropriate tab in the answer area.
Answer:
Q4. Your network contains two Active Directory forests named contoso.com and adatum.com. All of the domain controllers in both of the forests run Windows Server 2012 R2. The adatum.com domain contains a file server named Servers.
Adatum.com has a one-way forest trust to contoso.com.
A contoso.com user name User10 attempts to access a shared folder on Servers and receives the error message shown in the exhibit. (Click the Exhibit button.)
You verify that the Authenticated Users group has Read permissions to the Data folder.
You need to ensure that User10 can read the contents of the Data folder on Server5 in the
adatum.com domain.
What should you do?
A. Grant the Other Organization group Read permissions to the Data folder.
B. Modify the list of logon workstations of the contoso\User10 user account.
C. Enable the Netlogon Service (NP-In) firewall rule on Server5.
D. Modify the permissions on the Server5 computer object in Active Directory.
Answer: D
Explanation:
* To resolve the issue, I had to open up AD Users and Computers --> enable Advanced Features --> Select the Computer Object --> Properties --> Security --> Add the Group I want to allow access to the computer (in this case, DomainA\Domain users) and allow "Allowed to Authenticate". Once I did that, everything worked:
* For users in a trusted Windows Server 2008 or Windows Server 2003 domain or forest to be able to access resources in a trusting Windows Server 2008 or Windows Server 2003 domain or forest where the trust authentication setting has been set to selective authentication, each user must be explicitly granted the Allowed to Authenticate permission on the security descriptor of the computer objects (resource computers) that reside in the trusting domain or forest.
Reference: Grant the Allowed to Authenticate Permission on Computers in the Trusting Domain or Forest.
http://technet.microsoft.com/en-us/library/cc816733(v=ws.10).aspx
Q5. You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the File Server Resource Manager role service installed.
You attempt to delete a classification property and you receive the error message as shown in the exhibit. (Click the Exhibit button.)
You need to delete the isConfidential classification property.
What should you do?
A. Delete the classification rule that is assigned the isConfidential classification property.
B. Disable the classification rule that is assigned the isConfidential classification property.
C. Set files that have an isConfidential classification property value of Yes to No.
D. Clear the isConfidential classification property value of all files.
Answer: A
Explanation:
You would have to delete the classification rule in order to delete the classification property.
Q6. You have a failover cluster named Cluster1 that contains four nodes. All of the nodes run Windows Server 2012 R2.
You need to schedule the installation of Windows updates on the cluster nodes.
Which tool should you use?
A. the Add-CauClusterRole cmdlet
B. the Wusa command
C. the Wuauclt command
D. the Invoke-CauScan cmdlet
Answer: A
Explanation:
To enable self-updating mode, the CAU clustered role must also be added to the failover cluster. To do this by using the CAU UI, under Cluster Actions, use the Configure Self-Updating Options action. Alternatively, run the Add-CauClusterRole Windows PowerShell cmdlet.
Note: The process for installing service packs and hotfixes on Windows Server 2012 differs from the process in earlier versions. In Windows Server 2012, you can use the Cluster-Aware Updating (CAU) feature. CAU automates the software-updating process on clustered servers while maintaining availability.
Reference: Cluster-Aware Updating Overview
Q7. DRAG DROP
Your network contains an Active Directory forest. The forest contains a single domain named contoso.com.
The forest contains two Active Directory sites named Main and Branch1. The sites connect to each other by using a site link named Main-Branch1. There are no other site links.
Each site contains several domain controllers. All domain controllers run Windows Server 2012 R2. Your company plans to open a new branch site named Branch2. The new site will have a WAN link that connects to the Main site only. The site will contain two domain controllers that run Windows Server 2012 R2.
You need to create a new site and a new site link for Branch2. The solution must ensure that the domain controllers in Branch2 only replicate to the domain controllers in Branch1 if all of the domain controllers in Main are unavailable.
Which three actions should you perform?
To answer, move the three appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Answer:
Q8. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Active Directory Certificate Services server role installed and is configured as an enterprise certification authority (CA).
You need to ensure that all of the users in the domain are issued a certificate that can be used for the following purposes:
Email security
Client authentication
Encrypting File System (EFS)
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. From a Group Policy, configure the Certificate Services Client – Auto-Enrollment settings.
B. From a Group Policy, configure the Certificate Services Client – Certificate Enrollment Policy settings.
C. Modify the properties of the User certificate template, and then publish the template.
D. Duplicate the User certificate template, and then publish the template.
E. From a Group Policy, configure the Automatic Certificate Request Settings settings.
Answer: A,D
Explanation:
The default user template supports all of the requirements EXCEPT auto enroll as shown below:
However a duplicated template from users has the ability to autoenroll:
The Automatic Certificate Request Settings GPO setting is only available to Computer, not user.
Reference: Manage Certificate Enrollment Policy by Using Group Policy. http://technet.microsoft.com/en-us/library/dd851772.aspx
Q9. Your network contains an Active Directory domain named corp.contoso.com.
You deploy Active Directory Rights Management Services (AD RMS).
You have a rights policy template named Template1. Revocation is disabled for the template.
A user named User1 can open content that is protected by Template1 while the user is connected to the corporate network.
When User1 is disconnected from the corporate network, the user cannot open the protected content even if the user previously opened the content.
You need to ensure that the content protected by Template1 can be opened by users who are disconnected from the corporate network.
What should you modify?
A. The User Rights settings of Template1
B. The templates file location of the AD RMS cluster
C. The Extended Policy settings of Template1
D. The exclusion policies of the AD RMS cluster
Answer: C
Explanation:
* The extended rights policy of a template controls how content licenses are to be implemented. The extended rights policy template settings are specified by using the Active Directory Rights Management Services (AD RMS) administration site. The available settings control persistence of author rights, whether trusted browsers are supported, license persistence within the content, and enforcement of any application-specific data.
* You can add trust policies so that AD RMS can process licensing requests for content that was rights protected.
Reference: Extended Policy Template Information; AD RMS and Server Design
http://technet.microsoft.com/en-us/library/ee221071(v=ws.10).aspx
Q10. Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. The domain contains two domain controllers.
The domain controllers are configured as shown in the following table.
You configure a user named User1 as a delegated administrator of DC10.
You need to ensure that User1 can log on to DC10 if the network link between the Main site and the Branch site fails.
What should you do?
A. Add User1 to the Domain Admins group.
B. On DC10, modify the User Rights Assignment in Local Policies.
C. Run repadmin and specify the /prp parameter.
D. On DC10, run ntdsutil and configure the settings in the Roles context.
Answer: C
Explanation:
repadmin /prp will allow the password caching of the local administrator to the RODC.
This command lists and modifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs). Reference: RODC Administration https://technet.microsoft.com/en-us/library/cc755310%28v=ws.10%29.aspx