Q1. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the DNS Server server role installed.
Server1 has a zone named contoso.com. The zone is configured as shown in the exhibit. (Click the Exhibit button.)
You need to assign a user named User1 permission to add and delete records from the contoso.com zone only.
What should you do first?
A. Enable the Advanced view from DNS Manager.
B. Add User1 to the DnsUpdateProxy group.
C. Run the New Delegation Wizard.
D. Configure the zone to be Active Directory-integrated.
Answer: D
Q2. Your IT company has a large helpdesk department that deals with various types of calls from printer errors through to Application deployment. To give the help desk more responsibility you want to let them reset user passwords and unlock user accounts. This will speed up their response times for common support calls. Which of the following tools should you use to accomplish this?
A. The Delegation of Control Wizard
B. The Advanced Security Settings dialog box
C. DSUTIL
D. DSACLS
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/dd145442.aspx
Q3. Your network contains an Active Directory domain named contoso.com. The domain contains six domain controllers. The domain controllers are configured as shown in the following table.
The network contains a server named Server1 that has the Hyper-V server role installed. DC6 is a virtual machine that is hosted on Server1.
You need to ensure that you can clone DC6.
Which FSMO role should you transfer to DC2?
A. Rid master
B. Domain naming master
C. PDC emulator
D. Infrastructure master
Answer: C
Explanation:
The clone domain controller uses the security context of the source domain controller (the domain controller whose copy it represents) to contact the Windows Server 2012 R2 Primary Domain Controller (PDC) emulator operations master role holder (also known as flexible single master operations, or FSMO). The PDC emulator must be running Windows Server 2012 R2, but it does not have to be running on a hypervisor. http: //technet. microsoft. com/en-us/library/hh831734. aspx
Q4. Your network contains an Active Directory domain named contoso.com. The domain contains a member server named Server 1. Server1 runs Windows Server 2012 R2 and has the Hyper-V server role installed.
You create an external virtual switch named Switch1. Switch1 has the following configurations:
. Connection type: External network
. Single-root I/O virtualization (SR-IOV): Enabled
Ten virtual machines connect to Switch1.
You need to ensure that all of the virtual machines that connect to Switch1 are isolated from the external network and can connect to each other only. The solution must minimize network downtime for the virtual machines.
What should you do?
A. Remove Switch1 and recreate Switch1 as an internal network.
B. Change the Connection type of Switch1 to Private network.
C. Change the Connection type of Switch1 to Internal network.
D. Remove Switch1 and recreate Switch1 as a private network.
Answer: B
Explanation: You can change the connection type of a virtual switch from the virtual switch manager without having to remove it. A private virtual network is isolated from all external network traffic on the virtualization server, as well any network traffic between the management operating system and the external network. This type of network is useful when you need to create an isolated networking environment, such as an isolated test domain.
References: http://technet.microsoft.com/en-us/library/cc816585%28v=WS.10%29.aspx http://blogs.technet.com/b/jhoward/archive/2008/06/17/hyper-v-what-are-the-uses-for-different-types-of-virtual-networks.aspx
Q5. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 contains a virtual machine named VM1 that runs Windows Server 2012 R2.
You need to ensure that a user named User1 can install Windows features on VM1. The solution must minimize the number of permissions assigned to User1.
To which group should you add User1?
A. Server Operators on Server1
B. Power Users on VM1
C. Administrators on VM1
D. Hyper-V Administrators on Server1
Answer: D
Explanation: * The Hyper-V role enables you to create and manage a virtualized computing environment by using virtualization technology that is built in to Windows Server 2012. Hyper-V virtualizes hardware to provide an environment in which you can run multiple operating systems at the same time on one physical computer, by running each operating system in its own virtual machine.
* Simplified authorization
The Hyper-V Administrators group is introduced in Windows Server 2012 and is
implemented as a local security group.
What value does this change add?
This group can reduce the number of users that belong to the local Administrators group
while providing users with access to Hyper-V.
What works differently?
The Hyper-V Administrators group is a new local security group. Add users to this group
instead of the local Administrators group to provide them with access to Hyper-V. Members
of the Hyper-V Administrators have complete and unrestricted access to all features of
Hyper-V.
Reference: What's New in Hyper-V for Windows Server 2012
Q6. You have a datacenter that contains six servers. Each server has the Hyper-V server role installed and runs Windows Server 2012 R2. The servers are configured as shown in the following table.
Host4 and Host5 are part of a cluster named Cluster1. Cluster1 hosts a virtual machine named VM1.
You need to move VM1 to another Hyper-V host. The solution must minimize the downtime of VM1.
To which server and by which method should you move VM1?
A. To Host3 by using a storage migration
B. To Host6 by using a storage migration
C. To Host2 by using a live migration
D. To Host1 by using a quick migration
Answer: A
Explanation:
The processor vendors should be the same so Host2 and Host6 are not possible answers Local disk cannot be used neither so Host1 is not a possible answer neither For more information about VM storage migration: http://technet.microsoft.com/en-us/library/hh831656.aspx Virtual Machine Storage Migration Overview Applies To: Windows Server 2012 R2 In Windows Server 2008 R2, you can move a running instance of a virtual machine using live migration, but you are not able to move the virtual machine's storage while the virtual machine is running. Hyper-V in Windows Server 2012 R2 introduces support for moving virtual machine storage without downtime by making it possible to move the storage while the virtual machine remains running. You can perform this task by using a new wizard in Hyper-V Manager or by using new Hyper-V cmdlets for Windows PowerShell. You can add storage to either a stand-alone computer or to a Hyper-V cluster, and then move virtual machines to the new storage while the virtual machines continue to run. The most common reason for moving a virtual machine's storage is to update the physical storage that is available to Hyper-V. You can also move virtual machine storage between physical storage devices, at run time, to respond to reduced performance that results from bottlenecks in the storage throughput.
Key benefits Hyper-V in Windows Server 2012 R2 makes it possible to move virtual machine storage while a virtual machine is running. Requirements You need the following to use the Hyper-V functionality of moving virtual machine storage:
One or more installations of Windows Server 2012 R2 with the Hyper-V role installed. A server that is capable of running Hyper-V. Specifically, it must have processor support for hardware virtualization. Virtual machines that are configured to use only virtual hard disks for storage. NOTE: You cannot move the storage of a virtual machine when any of its storage is directly attached to a physical disk. Technical overview. This new feature allows you to move the virtual hard disks of a virtual machine while those virtual hard disks remain available for use by the running virtual machine. When you move a running virtual machine's virtual hard disks, Hyper-V performs the following steps, as shown in Figure 1: Throughout most of the move operation, disk reads and writes go to the source virtual hard disk. While reads and writes occur on the source virtual hard disk, the disk contents are copied to the new destination virtual hard disk. After the initial disk copy is complete, disk writes are mirrored to both the source and destination virtual hard disks while outstanding disk changes are replicated. After the source and destination virtual hard disks are completely synchronized, the virtual machine switches over to using the destination virtual hard disk. The source virtual hard disk is deleted.
Q7. Which of the following reasons justifies why you should audit failed events?
A. To log resource access for reporting and billing
B. To monitor for malicious attempts to access a resource which has been denied
C. None of these
D. To monitor access that would suggest users are performing actions greater than you had planned
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc778162%28v=ws.10%29.aspx Auditing Security Events Best practices If you decide to audit failure events in the policy change event category, you can see if unauthorized users or attackers are trying to change policy settings, including security policy settings. Although this can be helpful for intrusion detection, the increase in resources that is required and the possibility of a denial-of-service attack usually outweigh the benefits.
Q8. OTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that has the Network Policy Server server role installed. The domain contains a server named Server2 that is configured for RADIUS accounting.
Server1 is configured as a VPN server and is configured to forward authentication requests to Server2.
You need to ensure that only Server2 contains event information about authentication requests from connections to Server1.
Which two nodes should you configure from the Network Policy Server console?
To answer, select the appropriate two nodes in the answer area.
Answer:
Q9. RAG DROP
Your network contains an Active Directory domain named contoso.com. The domain contains four member servers named Server 1, Server2, Server3, and Server4. All servers run Windows Server 2012 R2.
Server1 and Server2 are located in a site named Site1. Server3 and Server4 are located in a site named Site2. The servers are configured as nodes in a failover cluster named Cluster1.
Cluster1 is configured to use the Node Majority quorum configuration.
You need to ensure that Server1 is the only server in Site1 that can vote to maintain quorum.
What should you run from Windows PowerShell?
To answer, drag the appropriate commands to the correct location. Each command may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Answer:
Q10. Your network contains an Active Directory domain named contoso.com. The network contains a file server named Server1 that runs Windows Server 2012 R2. You create a folder named Folder1. You share Folder1 as Share1.
The NTFS permissions on Folder1 are shown in the Folder1 exhibit. (Click the Exhibit button.)
The Everyone group has the Full control Share permission to Folder1.
You configure a central access policy as shown in the Central Access Policy exhibit. (Click the Exhibit button.)
Members of the IT group report that they cannot modify the files in Folder1. You need to
ensure that the IT group members can modify the files in Folder1. The solution must use central access policies to control the permissions. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. On the Security tab of Folder1, remove the permission entry for the IT group.
B. On the Classification tab of Folder1, set the classification to "Information Technology".
C. On the Security tab of Folder1, assign the Modify permission to the Authenticated Users group.
D. On Share1, assign the Change Share permission to the IT group.
E. On the Security tab of Folder1, add a conditional expression to the existing permission entry for the IT group.
Answer: B,C
Explanation:
A: On the Security tab of Folder1, remove the permission entry for the IT group. => tested => it failed of course, users don't even have read permissions anymore
D: On Share1, assign the Change share permission to the IT group =>Everyone already has the full control share permission => won't solve the problem which is about the NTFS Read permission
E: On the Security tab of Folder1, add a conditional expression to the existing permission entry for the IT group => how could a condition, added to a read permission, possibly transform a read to a modify permission? If they had said "modify the permission and add a conditional expression" => ok (even if that's stupid, it works) a condition is Applied to the existing permissions to filter existing access to only matching users or groups so if we Apply a condition to a read permission, the result will only be that less users (only them matching the conditions) will get those read permissions, which actually don't solve the problem neither so only one left:
C: On the Security tab of Folder1, assign the Modify permission to the Authenticated Users group => for sure it works and it's actually the only one which works, but what about security? well i first did not consider this method => "modify" permission for every single authenticated users? But now it looks very clear:
THE MORE RESTRICTIVE PERMISSION IS ALWAYS THE ONE APPLIED!! So "Modify" for Authenticated Users group and this will be filtered by the DAC who only allows IT group. and it matches the current settings that no other user (except admin, creator owner, etc...) can even read the folder. and this link confirms my theory:
http://autodiscover.wordpress.com/2012/09/12/configuring-dynamic-access-controls-andfileclassificationpart4-winservr-2012-dac-microsoft- mvpbuzz/
Configuring Dynamic Access Controls and File Classification
Note:
In order to allow DAC permissions to go into play, allow everyone NTFS full control
permissions and then DAC will overwrite it, if the user doesn't have NTFS permissions he
will be denied access even if DAC grants him access.
And if this can help, a little summary of configuring DAC: