Q1. Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1. The File Server Resource Manager role service is installed on Server1. All servers run Windows Server 2012 R2.
A Group Policy object (GPO) named GPO1 is linked to the organizational unit (OU) that contains Server1. The following graphic shows the configured settings in GPO1.
Server1 contains a folder named Folder1. Folder1 is shared as Share1.
You attempt to configure access-denied assistance on Server1, but the Enable access-denied assistance option cannot be selected from File Server Resource Manager.
You need to ensure that you can configure access-denied assistance on Server1 manually by using File Server Resource Manager.
Which two actions should you perform?
A. Set the Enable access-denied assistance on client for all file types policy setting to Disabled for GPO1.
B. Set the Customize message for Access Denied errors policy setting to Not Configured for GPO1.
C. Set the Enable access-denied assistance on client for all file types policy setting to Enabled for GPO1.
D. Set the Customize message for Access Denied errors policy setting to Enabled for GPO1.
Answer: C,D
Explanation:
C. To configure access-denied assistance for all file types by using Group Policy . Open Group Policy Management. In Server Manager, click Tools, and then click
Group Policy Management. . Right-click the appropriate Group Policy, and then click Edit. . Click Computer Configuration, click Policies, click Administrative Templates, click
System, and then click Access-Denied Assistance.
Right-click Enable access-denied assistance on client for all file types, and then
click Edit.
Click Enabled, and then click OK.
D. To configure access-denied assistance by using Group Policy (see step 5)
Open Group Policy Management. In Server Manager, click Tools, and then click
Group Policy Management.
Right-click the appropriate Group Policy, and then click Edit.
Click Computer Configuration, click Policies, click Administrative Templates, click
System, and then click Access-Denied Assistance.
Right-click Customize message for Access Denied errors, and then click Edit.
Select the Enabled option.
Etc Reference: Deploy Access-Denied Assistance (Demonstration Steps) http://technet.microsoft.com/en-us/library/hh831402.aspx
Q2. Your network contains an Active Directory domain named adatum.com. The domain contains two sites named Site1 and Site2 and two domain controllers named DC1 and DC2. DC1 is located in Site1 and DC2 is located in Site2.
You install an additional domain controller named DC3 in Site1 and you ship DC3 to Site2.
A technician connects DC3 to Site2.
You discover that users in Site2 are authenticated only by DC2.
You need to ensure that the users in Site2 are authenticated by both DC2 and DC3.
What should you do?
A. In Active Directory Users and Computers, configure the msDS-PrimaryComputer attribute for DC3.
B. In Active Directory Users and Computers, configure the msDS-Site-Affinity attribute for DC3.
C. From Active Directory Sites and Services, move DC3.
D. From Active Directory Sites and Services, modify the site link between Site1 and Site2.
Answer: C
Explanation:
DC3 needs to be moved to Site2 in AD DS
Reference: Move a domain controller between sites
http://technet.microsoft.com/en-us/library/cc759326(v=ws.10).aspx
Q3. Your network contains an Active Directory forest named contoso.com. All servers run Windows Server 2012 R2.
The domain contains four servers. The servers are configured as shown in the following table.
You need to deploy IP Address Management (IPAM) to manage DNS and DHCP.
On which server should you install IPAM?
A. DC1
B. DC2
C. DC3
D. Server1
Answer: D
Explanation:
Explanaton: IPAM cannot be installed on Domain Controllers. All servers, except Server1, have the DC role
Reference: IP Address Management (IPAM) Overview http://technet.microsoft.com/en-us/library/hh831353.aspx
Q4. Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2.
You are creating a central access rule named TestFinance that will be used to audit members of the Authenticated Users group for access failure to shared folders in the finance department.
You need to ensure that access requests are unaffected when the rule is published.
What should you do?
A. Add a User condition to the current permissions entry for the Authenticated Users principal.
B. Set the Permissions to Use the following permissions as proposed permissions.
C. Add a Resource condition to the current permissions entry for the Authenticated Users principal.
D. Set the Permissions to Use following permissions as current permissions.
Answer: B
Explanation:
Proposed permissions enable an administrator to more accurately model the impact of potential changes to access control settings without actually changing them. Reference: Access Control and Authorization Overview http://technet.microsoft.com/en-us/library/jj134043.aspx
Q5. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the DNS Server server role installed.
Server1 has a zone named contoso.com. The zone is configured as shown in the exhibit. (Click the Exhibit button.)
You need to assign a user named User1 permission to add and delete records from the contoso.com zone only.
What should you do first?
A. Enable the Advanced view from DNS Manager.
B. Add User1 to the DnsUpdateProxy group.
C. Run the New Delegation Wizard.
D. Configure the zone to be Active Directory-integrated.
Answer: D
Explanation:
Secure dynamic updates are only supported or configurable for resource records in zones that are stored in Active Directory Domain Services (AD DS).
Note: To modify security for a resource record
Open DNS Manager.
In the console tree, click the applicable zone.
In the details pane, click the record that you want to view.
On the Action menu, click Properties.
On the Security tab, modify the list of member users or groups that are allowed to
securely update the applicable record and reset their permissions as needed.
Reference: Modify Security for a Resource Record
Q6. Your network contains one Active Directory forest named contoso.com. The forest contains two child domains and six domain controllers. The domain controllers are configured as shown in the following table.
For the contoso.com domain, a company policy states that administrators must be able to retrieve a list of all the users who have not logged on to the network in the last seven days from any domain controller.
You need to ensure that the users’ last logon information from the last seven days is replicated to all of the domain controllers.
What should you use?
A. Set-ADSite
B. Set-ADReplicationSite
C. Set-ADDomain
D. Set-ADReplicationSiteLink
E. Set-ADGroup
F. Set-ADForest
G. Netdom
Answer: C
Reference: Technet, Set-ADDomain
https://technet.microsoft.com/en-us/library/ee617212.aspx
Q7. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Active Directory Rights Management Services server role installed.
The domain contains a domain local group named Group1.
You create a rights policy template named Template1. You assign Group1 the rights to Template1.
You need to ensure that all the members of Group1 can use Template1.
What should you do?
A. Configure the email address attribute of Group1.
B. Convert the scope of Group1 to global.
C. Convert the scope of Group1 to universal.
D. Configure the email address attribute of all the users who are members of Group1.
Answer: D
Explanation:
Explanation/Reference: When a user or group is created in Active Directory, the mail attribute is an optional attribute that can be set to include a primary email address for the user or group. For AD RMS to work properly, this attribute must be set because all users must have an email attribute to protect and consume content.
Reference: AD RMS Troubleshooting Guide http://social.technet.microsoft.com/wiki/contents/articles/13130.ad-rms-troubleshooting-guide.aspx
Q8. Your network contains an Active Directory forest named adatum.com. The forest contains a single domain. The domain contains four servers. The servers are configured as shown in the following table.
You need to update the schema to support a domain controller that will run Windows Server 2012 R2.
On which server should you run adprep.exe?
A. Server1
B. DC3
C. DC2
D. DC1
Answer: B
Explanation:
We must use the Windows Server 2008 R2 Server.
Upgrade Domain Controllers to Windows Server 2012 R2 and Windows Server 2012
You can use adprep.exe on domain controllers that run 64-bit versions of Windows Server 2008 or Windows Server 2008 R2 to upgrade to Windows Server 2012. You cannot upgrade domain controllers that run Windows Server 2003 or 32-bit versions of Windows Server 2008. To replace them, install domain controllers that run a later version of Windows Server in the domain, and then remove the domain controllers that Windows Server 2003.
Reference: Upgrade Domain Controllers to Windows Server 2012 R2 and Windows Server 2012, Supported in-place upgrade paths.
http://technet.microsoft.com/en-us/library/hh994618.aspx#BKMK_UpgradePaths
Q9. Your network contains an Active Directory domain named contoso.com. The domain contains a file server named File1 that runs a Server Core Installation of Windows Server 2012 R2.
File1 has a volume named D that contains home folders. File1 creates a shadow copy of volume D twice a day.
You discover that volume D is almost full.
You add a new volume named H to File1.
You need to ensure that the shadow copies of volume D are stored on volume H.
Which command should you run?
A. The Set-Volume cmdlet with the -driveletter parameter
B. The vssadmin.exe create shadow command
C. The Set-Volume cmdlet with the -path parameter
D. The vssadmin.exe add shadowstorage command
Answer: D
Explanation:
Add ShadowStorage
Adds a shadow copy storage association for a specified volume.
Incorrect:
Not A. Sets or changes the file system label of an existing volume. -DriveLetter Specifies a
letter used to identify a drive or volume in the system.
Not B. Create Shadow
Creates a new shadow copy of a specified volume.
Not C. Sets or changes the file system label of an existing volume -Path Contains valid
path information.
Reference: Vssadmin; Set-Volume
http://technet.microsoft.com/en-us/library/cc754968(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/hh848673(v=wps.620).aspx
Q10. Your network contains an Active Directory domain named contoso.com. The domain contains four servers named Server1, Server2, Server3, and Server4 that run Windows Server 2012 R2. All servers have the Hyper-V server role and the Failover Clustering feature installed.
You need to replicate virtual machines from Cluster1 to Cluster2.
Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)
A. From Hyper-V Manager on a node in Cluster2, create three virtual machines.
B. From Cluster2, add and configure the Hyper-V Replica Broker role.
C. From Failover Cluster Manager on Cluster1, configure each virtual machine for replication.
D. From Cluster1, add and configure the Hyper-V Replica Broker role.
E. From Hyper-V Manager on a node in Cluster2 modify the Hyper-V settings.
Answer: C,D,E
Explanation:
D. You must configure the Hyper-V Replica Broker for cluster1.
E. We must configure configure the Replica server to receive replication from primary servers: In Hyper-V Manager, click Hyper-V Settings in the Actions pane.
In the Hyper-V Settings dialog, click Replication Configuration.
In the Details pane, select Enable this computer as a Replica server.
C. Enable virtual machine replication.
Once the hosting server is configured for Replica, you can enable replication for each
virtual machine that you want to be replicated.
Reference: Deploy Hyper-V Replica
https://technet.microsoft.com/en-us/library/jj134207.aspx