Q1. - (Topic 2)
You need to recommend a solution for the RODC.
Which attribute should you include in the recommendation?
A. systemFlags
B. searchFlags
C. policy-Replication-Flags
D. flags
Answer: B
Explanation: * Scenario: Deploy a read-only domain controller (RODC) to the London office
* The read-only domain controller (RODC) filtered attribute set (FAS) is a set of attributes of the Active Directory schema that is not replicated to an RODC. If you have data that you do not want to be replicated to an RODC in case it is stolen, you can add these attributes to the RODC FAS. If you add the attributes to the RODC FAS before you deploy the first RODC, the attributes are never replicated to any RODC.
/ To decide which attributes to add to the RODC FAS, review any schema extensions that have been performed in your environment and determine whether they contain credential-like data or not. In other words, you can exclude from consideration any attributes that are part of the base schema, and review all other attributes. Base schema attributes have the.systemFlags.attribute value 16 (0x10) set.
Reference: Customize the RODC Filtered Attribute Set
Q2. - (Topic 8)
You manage a server infrastructure for a software development company. There are 30 physical servers distributed across 4 subnets, and one Microsoft Hyper-V cluster that can run up to 100 virtual machines (VMs). You configure the servers to receive the IP address from a DHCP server named SERVER1 that runs Microsoft Windows Server 2012 R2. You assign a 30-day duration to all DHCP leases.
Developers create VMs in the environment to test new software. They may create VMs several times each week.
Developers report that some new VMs cannot acquire IP address. You observe that the DHCP scope is full and delete non-existent devices manually. All physical servers must keep their current DHCP lease configuration.
You need to ensure that the DHCP lease duration for VMs is 8 hours.
What should you configure?
A. 4 server-level Allow filters
B. 1 server-level DHCP policy
C. 1 scope-level DHCP policy
D. 4 scope-level exclusion ranges
Answer: B
Q3. - (Topic 8)
Your network contains 50 servers that run Windows Server 2003 and 50 servers that run Windows Server 2008.
You plan to implement Windows Server 2012.
You need to create a report that includes the following information:
. The servers that run applications and services that can be moved to Windows
Server 2012
. The servers that have hardware that can run Windows Server 2012
. The servers that are suitable to be converted to virtual machines hosted on Hyper-
V hosts that run Windows Server 2012
What should you do?
A. From an existing server, run the Microsoft Application Compatibility Toolkit (ACT).
B. Install Windows Server 2012 on a new server, and then run the Windows Server Migration Tools.
C. Install Windows Server 2012 on a new server, and then run Microsoft Deployment Toolkit (MDT) 2012.
D. From an existing server, run the Microsoft Assessment and Planning (MAP) Toolkit.
Answer: D
Explanation:
The Microsoft Assessment and Planning Toolkit (MAP) is an agentless, automated, multiproduct planning and assessment tool for quicker and easier desktop, server and cloud migrations. MAP provides detailed readiness assessment reports and executive proposals with extensive hardware and software information, and actionable recommendations to help organizations accelerate their IT infrastructure planning process, and gather more detail on assets that reside within their current environment. MAP also provides server utilization data for Hyper-V server virtualization planning; identifying server placements, and performing virtualization candidate assessments, including ROI analysis for server consolidation with Hyper-V. The latest version of the MAP Toolkit adds new scenarios to help you plan your IT future while supporting your current business needs. Included scenarios help you to: Plan your deployment of Windows 8 and Windows Server 2012 with hardware and infrastructure readiness assessments Assess your environment for Office 2013 Plan your migration to Windows Azure Virtual Machines Track Lync Enterprise/Plus usage Size your desktop virtualization needs for both Virtual Desktop Infrastructure (VDI) and session based virtualization using Remote Desktop Services Ready your information platform for the cloud with SQL Server 2012 Virtualize your existing Linux servers onto Hyper-V Identify opportunities to lower your virtualization costs with Hyper-V using the VMware migration assessment MAP is just one of the tools provided by the Microsoft Solution Accelerators team. The Microsoft Assessment and Planning Toolkit, Microsoft Deployment Toolkit, and Security Compliance Manager provide tested guidance and automated tools to help organizations plan, securely deploy, and manage new Microsoft technologies—easier, faster, and at less cost. All are freely available, and fully-supported by Microsoft.
Reference: Microsoft Assessment and Planning Toolkit
Q4. - (Topic 8)
Your network contains an Active Directory domain named contoso.com. The functional level of the domain and the forest is Windows Server 2008 R2.
All domain controllers run Windows Server 2008 R2.
You plan to deploy a new line-of-business application named App1 that uses claims-based authentication.
You need to recommend changes to the network to ensure that Active Directory can provide claims for App1.
What should you include in the recommendation? (Each correct answer presents part of the solution. Choose all that apply.)
A. From the properties of the computer accounts of the domain controllers, enable Kerberos constrained delegation.
B. From the Default Domain Controllers Policy, enable the Support for Dynamic Access Control and Kerberos armoring setting.
C. Deploy Active Directory Lightweight Directory Services (AD LDS).
D. Raise the domain functional level to Windows Server 2012.
E. Add domain controllers that run Windows Server 2012.
Answer: B,E
Explanation: E: You must perform several steps to enable claims in Server 2012 AD. First, you must upgrade the forest schema to Server 2012. You can do so manually through Adprep, but Microsoft strongly recommends that you add the AD DS role to a new Server 2012 server or upgrade an existing DC to Server 2012.
B: Once AD can support claims, you must enable them through Group Policy:
. From the Start screen on a system with AD admin rights, open Group Policy Management and select the Domain Controllers Organizational Unit (OU) in the domain in which you wish to enable claims.
. Right-click the Default Domain Controllers Policy and select Edit.
. In the Editor window, drill down to Computer Configuration, Policies, Administrative
Templates, System, and KDC (Key Distribution Center). . Open.KDC support for claims, compound authentication, and Kerberos armoring. . Select the Enabled radio button..Supported.will appear under.Claims, compound
authentication for Dynamic Access Control and Kerberos armoring options
Reference: Enable Claims Support in Windows Server 2012 Active Directory
Q5. HOTSPOT - (Topic 4)
You are planning the certificates for Northwind Traders.
You need to identify the certificate configurations required for App1.
How should you configure the certificate request? To answer, select the appropriate
options in the answer area.
Answer:
Q6. - (Topic 4)
You need to implement a solution for DNS replication.
Which cmdlets should you run?
A. Set-DnsServer and Invoke-DnsServerZoneSign
B. ConvertTo-DnsServerPrimaryZone and Register-DnsServerDirectoryPartition
C. UnRegister-DnsServerDirectoryPartition and Add-DnsServerForwarder
D. Set-DnsServerDnsSecZoneSetting and Invoke-DnsServerZoneSign
Answer: C
Explanation: * UnRegister-DnsServerDirectoryPartition The UnRegister-DnsServerDirectoryPartition cmdlet deregisters a Domain Name System (DNS) server from a specified DNS application directory partition. After you deregister a DNS server from a DNS application directory partition, the DNS server removes itself the from the replication scope of the partition.
* Add-DnsServerForwarder The Add-DnsServerForwarder cmdlet adds one or more forwarders to a DNS server's forwarders list. If you prefer one of the forwarders, put that forwarder first in the series of forwarder IP addresses. After you first use this cmdlet to add forwarders to a DNS server, this cmdlet adds forwarders to the end of the forwarders list.
Q7. - (Topic 3)
You need to recommend a remote access solution that meets the VPN requirements.
Which role service should you include in the recommendation?
A. Routing
B. Network Policy Server
C. DirectAccess and VPN (RAS)
D. Host Credential Authorization Protocol
Answer: B
Explanation:
Scenario:
A server that runs Windows Server 2012 will perform RADIUS authentication for all of the
VPN connections.
Ensure that NAP with IPSec enforcement can be configured.
Network Policy Server
Network Policy Server (NPS) allows you to create and enforce organization-wide network
access policies for client health, connection request authentication, and connection request
authorization. In addition, you can use NPS as a Remote Authentication Dial-In User
Service
(RADIUS) proxy to forward connection requests to a server running NPS or other RADIUS
servers that you configure in remote RADIUS server groups.
NPS allows you to centrally configure and manage network access authentication,
authorization, are client health policies with the following three features: RADIUS server.
NPS performs centralized authorization, authorization, and accounting for wireless,
authenticating switch, remote access dial-up and virtual private network (VNP)
connections. When you use NPS as a RADIUS server, you configure network access
servers, such as wireless access points and VPN servers, as RADIUS clients in NPS. You
also configure network policies that NPS uses to authorize connection requests, and you
can configure RADIUS accounting so that NPS logs accounting information to log files on
the local hard disk or in a Microsoft SQL Server database.
Reference: Network Policy Server
Q8. DRAG DROP - (Topic 8)
Your network contains an Active Directory domain named contoso.com. The domain contains an IP Address Management (IPAM) server.
You plan to delegate the administration of IPAM as shown in the following table.
You need to recommend which IPAM security group must be used for each department. The solution must minimize the number of permissions assigned to each group.
What should you recommend?
To answer, drag the appropriate group to the correct department in the answer area. Each group may be used once, more than once, or not at all. Additionally, you may need to drag the split bar between panes or scroll to view content.
Answer:
Q9. - (Topic 8)
Your network contains an Active Directory domain named contoso.com. The domain contains multiple sites.
You plan to deploy DirectAccess.
The network security policy states that when client computers connect to the corporate
network from the Internet, all of the traffic destined for the Internet must be routed through
the corporate network.
You need to recommend a solution for the planned DirectAccess deployment that meets
the security policy requirement
Solution: You set the ISATAP State to state disabled.
Does this meet the goal?
A. Yes
B. No
Answer: A
Explanation: With NAT64 and DNS64, the DirectAccess server now has the ability to take those client IPv6 packets and spin them down into IPv4 packets, so you can simply leave your internal network all IPv4. So back in the beginning it was standard practice to enable ISATAP globally. Today, because of the known issues, it is recommended not to use ISATAP at all, unless you have a specific reason for needing it
Note: ISATAP defines a method for generating a link-local IPv6 address from an IPv4 address, and a mechanism to perform Neighbor Discovery on top of IPv4.
Reference: IS ISATAP REQUIRED FOR DIRECTACCESS?
Q10. - (Topic 8)
Your network contains an Active Directory domain named contoso.com. The domain contains multiple sites. You plan to deploy DirectAccess.
The network security policy states that when client computers connect to the corporate network from the Internet, all of the traffic destined for the Internet must be routed through the corporate network.
You need to recommend a solution for the planned DirectAccess deployment that meets the security policy requirement.
What should you include in the recommendation?
A. Set the ISATAP State to state enabled.
B. Enable split tunneling.
C. Set the ISATAP State to state disabled.
D. Enable force tunneling.
Answer: D
Explanation:
You can configure DirectAccess clients to send all of their traffic through the tunnels to the DirectAccess server with force tunneling. When force tunneling is configured, DirectAccess clients that detect that they are on the Internet modify their IPv4 default route so that default route IPv4 traffic is not sent. With the exception of local subnet traffic, all traffic sent by the DirectAccess client is IPv6 traffic that goes through tunnels to the DirectAccess server.