70-411 Flashcards

Question

Your network contains an Active Directory domain named contoso. com. All domain controllers run either Windows Server 2008 or Windows Server 2008 R2. You deploy a new domain controller named DC1 that runs Windows Server 2012 R2. You log on to DC1 by using an account that is a member of the Domain Admins group. You discover that you cannot create Password Settings objects (PSOs) by using Active Directory Administrative Center. You need to ensure that you can create PSOs from Active Directory Administrative Center. What should you do? Available Choices A. Modify the membership of the Group Policy Creator Owners group. B. Transfer the PDC emulator operations master role to DC1. C. Upgrade all of the domain controllers that run Window Server 2008. D. Raise the functional level of the domain.

Answer 1

Raise the functional level of the domain. Explanation: Fine-grained password policies allow you to specify multiple password policies within a single domain so that you can apply different restrictions for password and account lockout policies to different sets of users in a domain. To use a fine-grained password policy, your domain functional level must be at least Windows Server 2008. To enable fine-grained password policies, you first create a Password Settings Object (PSO). You then configure the same settings that you configure for the password and account lockout policies. You can create and apply PSOs in the Windows Server 2012 environment by using the Active Directory Administrative Center (ADAC) or Windows PowerShell. Step 1: Create a PSO Applies To: Windows Server 2008, Windows Server 2008 R2 http: //technet. microsoft. com/en-us//library/cc754461%28v=ws. 10%29. aspx

Answer 2

10 Explanation: One PSO has a precedence value of 2 and the other PSO has a precedence value of 4. In this case, the PSO that has the precedence value of 2 has a higher rank and, hence, is applied to the object.

Answer 3

Active Directory Administrative Center

Answer 4

Recover the items by using Active Directory Recycle Bin. Explanation: Active Directory Recycle Bin helps minimize directory service downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects without restoring Active Directory data from backups, restarting Active Directory Domain Services (AD DS), or rebooting domain controllers. When you enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes of the deleted Active Directory objects are preserved and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion. For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion, within and across domains.

Answer 5

From a command prompt, run the dsmgmt local roles command. Explanation: RODC: using the dsmgmt. exe utility to manage local administrators One of the benefits of of RODC is that you can add local administrators who do not have full access to the domain administration. This gives them the abiltiy to manage the server but not add or change active directory objects unless those roles are delegated. Adding this type of user is done using the dsmdmt. exe utility at the command prompt.

Answer 6

Run the dsamain. exe command. Dsamain.exe exposes Active Directory data that is stored in a snapshot or backup as a Lightweight Directory Access Protocol (LDAP) server. Ref: http://technet.microsoft.com/en-us/library/cc772168.aspx

Answer 7

From Active Directory Administrative Center, pre-create an RODC computer account. Explanation: A staged read only domain controller (RODC) installation works in two discrete phases: 1. Staging an unoccupied computer account 2. Attaching an RODC to that account during promotion Reference: Install a Windows Server 2012 R2 Active Directory Read-Only Domain Controller (RODC)

Answer 8

Set-GPLink

Answer 9

A. Dcgpofix Explanation: Dcgpofix Restores the default Group Policy objects to their original state (that is, the default state after initial installation). http: //technet. microsoft. com/en-us/library/hh875588(v=ws. 10). aspx

Answer 10

Set-GPPermission Explanation: Set-GPPermission grants a level of permissions to a security principal (user, security group, or computer) for one GPO or all the GPOs in a domain. You use the TargetName and TargetType parameters to specify a user, security group, or computer for which to set the permission level. -Replace
Specifies that the existing permission level for the group or user is removed before the new permission level is set. If a security principal is already granted a permission level that is higher than the specified permission level and you do not use the Replace parameter, no change is made. [http: //technet. microsoft. com/en-us/library/ee461038. aspx](http://Explanation:%20Set-GPPermission%20grants%20a%20level%20of%20permissions%20to%20a%20security%20principal%20(user,%20security%20group,%20or%20computer)%20for%20one%20GPO%20or%20all%20the%20GPOs%20in%20a%20domain.%20You%20use%20the%20TargetName%20and%20TargetType%20parameters%20to%20specify%20a%20user,%20security%20group,%20or%20computer%20for%20which%20to%20set%20the%20permission%20level.%20%20-Replace%20%20Specifies%20that%20the%20existing%20permission%20level%20for%20the%20group%20or%20user%20is%20removed%20before%20the%20new%20permission%20level%20is%20set.%20If%20a%20security%20principal%20is%20already%20granted%20a%20permission%20level%20that%20is%20higher%20than%20the%20specified%20permission%20level%20and%20you%20do%20not%20use%20the%20Replace%20parameter,%20no%20change%20is%20made.%20%20http:%20//technet.%20microsoft.%20com/en-us/library/ee461038.%20aspx)

Answer 11

Gpfixup Explanation: You can use the gpfixup command-line tool to fix the dependencies that Group Policy objects (GPOs) and Group Policy links in Active Directory Domain Services (AD DS) have on Domain Name System (DNS) and NetBIOS names after a domain rename operation. http: //technet. microsoft. com/en-us/library/hh852336(v=ws. 10). aspx

Answer 12

B. Administrators Explanation: You must have privileges to create WMI filters in the domain in which you want to create the filter. Permissions can be changed by adding a user to the Administrators group. Administrators (A built-in group) After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group. The Administrators group has built-in capabilities that give its members full control over the system. The group is the default owner of any object that is created by a member of the group. This example logs in as a test user who is not a domain user or an administrator on the server. This results in the error specifying that DA can only be configured by a user with local administrator permissions. Ref: http://technet.microsoft.com/en-us/library/cc780416(v=ws.10).aspx http://technet.microsoft.com/en-us/library/cc775497(v=ws.10).aspx

Answer 13

Install the Active Directory Federation Services server role and the Remote Access server role on different servers Web Application Proxy is a new Remote Access role service in Windows Server® 2012 R2.

Answer 14

D. From Routing and Remote Access, add an IPv4 routing protocol. Explanation: To configure an existing RRAS server to support both VPN remote access and NAT routing: 1. Open Server Manager. 2. Expand Roles, and then expand Network Policy and Access Services. 3. Right-click Routing and Remote Access, and then click Properties. 4. Select IPv4 Remote access Server or IPv6 Remote access server, or both.

Answer 15

Show-DNSServerCache Explanation: The Show-DNSServerCache shows all cached Domain Name System (DNS) server resource records in the following format: Name, ResourceRecordData, Time-to-Live (TTL).

Answer 16

Start of authority (SOA) Explanation: The time to live is specified in the Start of Authority (SOA) record Note: TTL (time to live) - The number of seconds a domain name is cached locally before expiration and return to authoritative nameservers for updated information.

Answer 17

Add Server2 to a security group in Active Directory. From the Remote Access Management Console, modify the Application Servers settings. Explanation: Unsure about these answers. A public key infrastructure must be deployed. Windows Firewall must be enabled on all profiles. ISATAP in the corporate network is not supported. If you are using ISATAP, you should remove it and use native IPv6. Computers that are running the following operating systems are supported as DirectAccess clients: Windows Server® 2012 R2 Windows 8. 1 Enterprise Windows Server® 2012 Windows 8 Enterprise Windows Server® 2008 R2 Windows 7 Ultimate Windows 7 Enterprise Force tunnel configuration is not supported with KerbProxy authentication. Changing policies by using a feature other than the DirectAccess management console or Windows PowerShell cmdlets is not supported. Separating NAT64/DNS64 and IPHTTPS server roles on another server is not supported.

Answer 18

Create a secondary zone. Explanation: http: //technet. microsoft. com/en-us/library/cc771898. aspx When a zone that this DNS server hosts is a secondary zone, this DNS server is a secondary source for information about this zone. The zone at this server must be obtained from another remote DNS server computer that also hosts the zone With secondary, you have ability to resolve records from the other domain even if its DNS servers are temporarily unavailable While secondary zones contain copies of all the resource records in the corresponding zone on the master name server, stub zones contain only three kinds of resource records: A copy of the SOA record for the zone. Copies of NS records for all name servers authoritative for the zone. Copies of A records for all name servers authoritative for the zone. http: //www. windowsnetworking. com/articles-tutorials/windows-2003/DNS\_Stub\_Zones. html http: //technet. microsoft. com/en-us/library/cc771898. aspx http: //redmondmag. com/Articles/2004/01/01/The-Long-and-Short-of-Stub-Zones. aspx?Page=2

Answer 19

Add Server2 as a name server. Explanation: Typically, adding a secondary DNS server to a zone involves three steps: 1. On the primary DNS server, add the prospective secondary DNS server to the list of name servers that are authoritative for the zone. 2. On the primary DNS server, verify that the transfer settings for the zone permit the zone to be transferred to the prospective secondary DNS server. 3. On the prospective secondary DNS server, add the zone as a secondary zone. You must add a new Name Server. To add a name server to the list of authoritative servers for the zone, you must specify both the server's IP address and its DNS name. When entering names, click Resolve to resolve the name to its IP address prior to adding it to the list. Secondary zones cannot be AD-integrated under any circumstances. You want to be sure Server2 can host, you do not want to delegate a zone. Secondary Domain Name System (DNS) servers help provide load balancing and fault tolerance. Secondary DNS servers maintain a read-only copy of zone data that is transferred periodically from the primary DNS server for the zone. You can configure DNS clients to query secondary DNS servers instead of (or in addition to) the primary DNS server for a zone, reducing demand on the primary server and ensuring that DNS queries for the zone will be answered even if the primary server is not available. How-To: Configure a secondary DNS Server in Windows Server 2012 We need to tell our primary DNS that it is ok for this secondary DNS to pull information from it. Otherwise replication will fail and you will get this big red X. Head over to your primary DNS server, launch DNS manager, expand Forward Lookup Zones, navigate to your primary DNS zone, right-click on it and go to Properties. Go to "Zone Transfers" tab, by default, for security reasons, the "Allow zone transfers: " is un-checked to protect your DNS information. We need to allow zone transfers, if you value your DNS records, you do not want to select "To any server" but make sure you click on "Only to servers listed on the Name Servers tab" Head over to the "Name Servers" tab, click Add You will get "New Name Server Record" window, type in the name of your secondary DNS server. it is always better to validate by name not IP address to avoid future problems in case your IP addresses change. Once done, click OK. You will see your secondary DNS server is now added to your name servers selection, click OK. Now if you head back to to your secondary DNS server and refresh, the big red X will go away and your primary zone data will populate Your secondary DNS is fully setup now. You can not make any DNS changes from your secondary DNS. Secondary DNS is a read-only DNS, Any DNS changes have to be done from the primary DNS. http: //technet. microsoft. com/en-us/library/cc816885%28v=ws. 10%29. aspx http: //technet. microsoft. com/en-us/library/cc816814%28v=ws. 10%29. aspx http: //blog. hyperexpert. com/how-to-configure-a-secondary-dns-server-in-windows-server-2012/ http: //technet. microsoft. com/en-us/library/cc770984. aspx http: //support. microsoft. com/kb/816101 http: //technet. microsoft. com/en-us/library/cc753500. aspx http: //technet. microsoft. com/en-us/library/cc771640(v=ws. 10). aspx http: //technet. microsoft. com/en-us/library/ee649280(v=ws. 10). aspx

Answer 20

Name Resolution Policy Explanation: For DirectAccess, the NRPT must be configured with the namespaces of your intranet with a leading dot (for example, . internal. contoso. com or . corp. contoso. com). For a DirectAccess client, any name request that matches one of these namespaces will be sent to the specified intranet Domain Name System (DNS) servers. Include all intranet DNS namespaces that you want DirectAccess client computers to access. There are no command line methods for configuring NRPT rules. You must use Group Policy settings. To configure the NRPT through Group Policy, use the Group Policy add-in at Computer Configuration \Policies\Windows Settings\Name Resolution Policy in the Group Policy object for DirectAccess clients. You can create a new NRPT rule and edit or delete existing rules. For more information, see Configure the NRPT with Group Policy.

Answer 21

Modify the Security Filtering settings of GPO1. Explanation: Security filtering is a way of refining which users and computers will receive and apply the settings in a Group Policy object (GPO). Using security filtering, you can specify that only certain security principals within a container where the GPO is linked apply the GPO. Security group filtering determines whether the GPO as a whole applies to groups, users, or computers; it cannot be used selectively on different settings within a GPO.

Answer 22

Preferences/Control Panel Settings/Network Option Explanation: 1. Open the Group Policy Management Console . Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit . 2. In the console tree under Computer Configuration or User Configuration , expand the Preferences folder, and then expand the Control Panel Settings folder. 3. Right-click the Network Options node, point to New , and select VPN Connection . The Network Options extension allows you to centrally create, modify, and delete dial-up networking and virtual private network (VPN) connections. Before you create a network option preference item, you should review the behavior of each type of action possible with the extension. http: //technet. microsoft. com/en-us/library/cc772449. aspx

Answer 23

Folders & Files Explanation: Folder preference items allow you to create, update, replace, and delete folders and their contents. (To configure individual files rather than folders, see Files Extension. ) Before you create a Folder preference item, you should review the behavior of each type of action possible with this extension. File preference items allow you to copy, modify the attributes of, replace, and delete files. (To configure folders rather than individual files, see Folders Extension. ) Before you create a File preference item, you should review the behavior of each type of action possible with this extension.

Answer 24

The managed Administrative Template settings The Event Log security settings Explanation: http: //technet. microsoft. com/en-us/library/cc778402(v=ws. 10). aspx http: //technet. microsoft. com/en-us/library/bb964258. aspx There are two kinds of Administrative Template policy settings: Managed and Unmanaged . The Group Policy service governs Managed policy settings and removes a policy setting when it is no longer within scope of the user or computer

Answer 25

The Group Policy preferences Explanation: Group Policy preferences provide the means to simplify deployment and standardize configurations. They add to Group Policy a centralized system for deploying preferences (that is, settings that users can change later). You can also use Group Policy preferences to configure applications that are not Group Policy-aware. By using Group Policy preferences, you can change or delete almost any registry setting, file or folder, shortcut, and more. You are not limited by the contents of Administrative Template files. Ref: http://technet.microsoft.com/en-us/library/dn581922.aspx

Answer 26

From Group Policy Management, assign Full control to Admin1 for the WMI Filters container. Explanation: Users with Full control permissions can create and control all WMI filters in the domain, including WMI filters created by others. Users with Creator owner permissions can create WMI filters, but can only control WMI filters that they create. Ref: http://technet.microsoft.com/en-us/library/cc757429(v=ws.10).aspx

Answer 27

Refresh Interval Explanation: By default, the refresh interval for each zone is set to 15 minutes. The refresh interval is used to determine how often other DNS servers that load and host the zone must attempt to renew the zone.

Answer 28

Stub Explanation: When a zone that this DNS server hosts is a stub zone, this DNS server is a source only for information about the authoritative name servers for this zone. The zone at this server must be obtained from another DNS server that hosts the zone. This DNS server must have network access to the remote DNS server to copy the authoritative name server information about the zone. A stub zone is a copy of a zone that contains only necessary resource records (Start of Authority (SOA), Name Server (NS), and Address/Host (A) record) in the master zone and acts as a pointer to the authoritative name server. The stub zone allows the server to forward queries to the name server that is authoritative for the master zone without going up to the root name servers and working its way down to the server. While a stub zone can improve performance, it does not provide redundancy or load sharing. You can use stub zones to: Keep delegated zone information current. By updating a stub zone for one of its child zones regularly, the DNS server that hosts both the parent zone and the stub zone will maintain a current list of authoritative DNS servers for the child zone. Improve name resolution. Stub zones enable a DNS server to perform recursion using the stub zone's list of name servers, without having to query the Internet or an internal root server for the DNS namespace. Simplify DNS administration. By using stub zones throughout your DNS infrastructure, you can distribute a list of the authoritative DNS servers for a zone without using secondary zones. However, stub zones do not serve the same purpose as secondary zones, and they are not an alternative for enhancing redundancy and load sharing. There are two lists of DNS servers involved in the loading and maintenance of a stub zone: The list of master servers from which the DNS server loads and updates a stub zone. A master server may be a primary or secondary DNS server for the zone. In both cases, it will have a complete list of the DNS servers for the zone. The list of the authoritative DNS servers for a zone. This list is contained in the stub zone using name server (NS) resource records. When a DNS server loads a stub zone, such as widgets. tailspintoys. com, it queries the master servers, which can be in different locations, for the necessary resource records of the authoritative servers for the zone widgets. tailspintoys. com. The list of master servers may contain a single server or multiple servers, and it can be changed anytime. http: //technet. microsoft. com/en-us/library/cc771898. aspx http: //technet. microsoft. com/en-us/library/cc754190. aspx http: //technet. microsoft. com/en-us/library/cc730980. aspx

Answer 29

Create an application directory partition. Explanation: You can store Domain Name System (DNS) zones in the domain or application directory partitions of Active Directory Domain Services (AD DS). A partition is a data structure in AD DS that distinguishes data for different replication purposes. When you create an application directory partition for DNS, you can control the scope of replication for the zone that is stored in that partition.

Answer 30

`On NPS1, create a new connection request policy and add a Tunnel-Type and a Service-Type condition. `Configure each Remote Access server to use a RADIUS server named NPS1. Connection request policies are sets of conditions and settings that allow network administrators to designate which RADIUS servers perform the authentication and authorization of connection requests that the server running Network Policy Server (NPS) receives from RADIUS clients. Connection request policies can be configured to designate which RADIUS servers are used for RADIUS accounting. When you configure Network Policy Server (NPS) as a Remote Authentication Dial-In User Service (RADIUS) proxy, you use NPS to forward connection requests to RADIUS servers that are capable of processing the connection requests because they can perform authentication and authorization in the domain where the user or computer account is located. For example, if you want to forward connection requests to one or more RADIUS servers in untrusted domains, you can configure NPS as a RADIUS proxy to forward the requests to the remote RADIUS servers in the untrusted domain. To configure NPS as a RADIUS proxy, you must create a connection request policy that contains all of the information required for NPS to evaluate which messages to forward and where to send the messages. Ref: http://technet.microsoft.com/en-us/library/cc730866(v=ws.10).aspx

Answer 31

**Set the Client IP4 Address condition to 192. 168. 0.** Explanation: RADIUS client properties Following are the RADIUS client conditions that you can configure in network policy. Calling Station ID: Specifies the network access server telephone number that was dialed by the dial-up access client. Client Friendly Name: Specifies the name of the RADIUS client that forwarded the connection request to the NPS server. Client IPv4 Address: Specifies the Internet Protocol (IP) version 4 address of the RADIUS client that forwarded the connection request to the NPS server. Client IPv6 Address: Specifies the Internet Protocol (IP) version 6 address of the RADIUS client that forwarded the connection request to the NPS server. Client Vendor: Specifies the name of the vendor or manufacturer of the RADIUS client that sends connection requests to the NPS server. MS RAS Vendor: Specifies the vendor identification number of the network access server that is requesting authentication.

Answer 32

EAP-TLS ## Footnote Explanation: 802. 1X uses EAP, EAP-TLS, EAP-MS-CHAP v2, and PEAP authentication methods: EAP (Extensible Authentication Protocol) uses an arbitrary authentication method, such as certificates, smart cards, or credentials. EAP-TLS (EAP-Transport Layer Security) is an EAP type that is used in certificate- based security environments, and it provides the strongest authentication and key determination method. EAP-MS-CHAP v2 (EAP-Microsoft Challenge Handshake Authentication Protocol version 2) is a mutual authentication method that supports password-based user or computer authentication. PEAP (Protected EAP) is an authentication method that uses TLS to enhance the security of other EAP authentication protocols.

Answer 33

Automatic updating is enabled. Antivirus is up to date. A firewall is enabled for all network connections. Explanation: The WSHA on NAP client computers running Windows XP SP3 does not monitor the status of antispyware applications.

Answer 34

From Server1, configure Reporting Rollup. Explanation: WSUS Reporting Rollup Sample Tool This tool uses the WSUS application programming interface (API) to demonstrate centralized monitoring and reporting for WSUS. It creates a single report of update and computer status from the WSUS servers into your WSUS environment. The sample package also contains sample source files to customize or extend the tool functionality of the tool to meet specific needs. The WSUS Reporting Rollup Sample Tool and files are provided AS IS. No product support is available for this tool or sample files. For more information read the readme file. http: //technet. microsoft. com/en-us/windowsserver/bb466192. aspx

Answer 35

979708BF-C04B-4525-9FE0-C4150BB6C618 0000000000000000000000155D000F13 Explanation: Use client computer's media access control (MAC) address preceded with twenty zeros or the globally unique identifier (GUID) in the format: {XXXXXXXX-XXXX-XXXX-XXX-XXXXXXXXXXXX}. http: //technet. microsoft. com/en-us/library/cc754469. aspx

Answer 36

The Data Manager settings of DCS1 Explanation: To configure data management for a Data Collector Set 1. In Windows Performance Monitor, expand Data Collector Sets and click User Defined. 2. In the console pane, right-click the name of the Data Collector Set that you want to configure and click Data Manager. 3. On the Data Manager tab, you can accept the default values or make changes according to your data retention policy. See the table below for details on each option. When Minimum free disk or Maximum folders is selected, previous data will be deleted according to the Resource policy you choose (Delete largest or Delete oldest) when the limit is reached. When Apply policy before the data collector set starts is selected, previous data will be deleted according to your selections before the data collector set creates its next log file. When Maximum root path size is selected, previous data will be deleted according to your selections when the root log folder size limit is reached. 4. Click the Actions tab. You can accept the default values or make changes. See the table below for details on each option. 5. When you have finished making your changes, click OK.

Answer 37

Run dism. exe and specify the /get-imageinfo parameter. Explanation: Option: /Get-ImageInfo Arguments: /ImageFile:
[{/Index: | /Name: }] Displays information about the images that are contained in the . wim, vhd or . vhdx file. When used with the / Index or /Name argument, information about the specified image is displayed, which includes if an image is a WIMBoot image, if the image is Windows 8. 1 Update, see Take Inventory of an Image or Component Using DISM. The /Name argument does not apply to VHD files. You must specify /Index: 1 for VHD files. http: //technet. microsoft. com/en-us/library/cc749447(v=ws. 10). aspx http: //technet. microsoft. com/en-us/library/dd744382(v=ws. 10). aspx http: //technet. microsoft. com/en-us/library/hh825224. aspx

Answer 38

`Run dism. exe and specify the /apply-image parameter. Run dism. exe and specify the /append-image parameter.

Answer 39

On Server1, create a source computer initiated subscription. From a Group Policy object (GPO), configure the Configure target Subscription Manager setting. Explanation: To set up a Source-Initiated Subscription with Windows Server 2003/2008 so that events of interest from the Security event log of several domain controllers can be forwarded to an administrative workstation \* Group Policy The forwarding computer needs to be configured with the address of the server to which the events are forwarded. This can be done with the following group policy setting: Computer configuration-Administrative templates-Windows components-Event forwarding-Configure the server address, refresh interval, and issue certificate authority of a target subscription manager. \* Edit the GPO and browse to Computer Configuration | Policies | Administrative Templates | Windows Components | Event Forwarding - Configure the server address, refresh interval, and issuer certificate authority of a target Subscription Manager

Answer 40

Hyper-V Management

Answer 41

From a command prompt, run wsusutil. exe and specify the movecontent parameter. Explanation: Local Storage Considerations If you decide to store update files on your server, the recommended minimum disk size is 30 GB. However, depending on the synchronization options you specify, you might need to use a larger disk. For example, when specifying advanced synchronization options, as in the following procedure, if you select options to download multiple languages and/or the option to download express installation files, your server disk can easily reach 30 GB. Therefore if you choose any of these options, install a larger disk (for example, 100 GB). If your disk gets full, you can install a new, larger disk and then move the update files to the new location. To do this, after you create the new disk drive, you will need to run the WSUSutil. exe tool (with the movecontent command) to move the update files to the new disk. For this procedure, see Managing WSUS from the Command Line. For example, if D: \WSUS1 is the new path for local WSUS update storage, D: \move. log is the path to the log file, and you wanted to copy the old files to the new location, you would type: wsusutil. exe movecontent D: \WSUS1\ D: \move. log Note: If you do not want to use WSUSutil. exe to change the location of local WSUS update storage, you can also use NTFS functionality to add a partition to the current location of local WSUS update storage. For more information about NTFS, go to Help and Support Center in Windows Server 2003. Syntax At the command line %drive%\Program Files\Update Services\Tools\>, type: wsusutilmovecontentcontentpathlogfile -skipcopy [/?] The parameters are defined in the following table. contentpath - the new root for content files. The path must exist. logfile - the path and file name of the log file to create. -skipcopy - indicates that only the server configuration should be changed, and that the content files should not be copied. /help or /? - displays command-line help for movecontent command. http: //blogs. technet. com/b/sus/archive/2008/05/19/wsus-how-to-change-the-location-where-wsus- stores-updates-locally. aspx http: //technet. microsoft. com/en-us/library/cc720475(v=ws. 10). aspx http: //technet. microsoft. com/en-us/library/cc708480%28v=ws. 10%29. aspx http: //technet. microsoft. com/en-us/library/cc720466(v=ws. 10). aspx http: //technet. microsoft. com/en-us/library/cc708480%28v=ws. 10%29. aspx

Answer 42

`Set the Ordering method of \\contoso. com\public to Exclude targets outside of the client's site. `Set the Advanced properties of the folder target in the Seattle office to First among targets of equal cost. Explanation: Exclude targets outside of the client's site In this method, the referral contains only the targets that are in the same site as the client. These same- site targets are listed in random order. If no same-site targets exist, the client does not receive a referral and cannot access that portion of the namespace. Note: Targets that have target priority set to "First among all targets" or "Last among all targets" are still listed in the referral, even if the ordering method is set to Exclude targets outside of the client's site . Note 2: Set the Ordering Method for Targets in Referrals A referral is an ordered list of targets that a client computer receives from a domain controller or namespace server when the user accesses a namespace root or folder with targets. After the client receives the referral, the client attempts to access the first target in the list. If the target is not available, the client attempts to access the next target.

Answer 43

Set-TpmOwnerAuth Explanation: The Set-TpmOwnerAuthcmdlet changes the current owner authorization value of the Trusted Platform Module (TPM) to a new value. You can specify the current owner authorization value or specify a file that contains the current owner authorization value. If you do not specify an owner authorization value, the cmdlet attempts to read the value from the registry. Use the ConvertTo-TpmOwnerAuthcmdlet to create an owner authorization value. You can specify a new owner authorization value or specify a file that contains the new value.

Answer 44

Create a new quota for Folder1. By using auto apply quotas, you can assign a quota template to a parent volume or folder. Then File Server Resource Manager automatically generates quotas that are based on that template. Quotas are generated for each of the existing subfolders and for subfolders that you create in the future. Ref: http://technet.microsoft.com/en-us/library/cc731577.aspx

Answer 45

`Windows Deployment Services ## Footnote Explanation: Windows Deployment Services (WDS) is a server role that enables you to remotely deploy Windows operating systems. You can use it to set up new computers by using a network-based installation. This means that you do not have to install each operating system directly from a CD, USB drive or DVD. To use Windows Deployment Services, you should have a working knowledge of common desktop deployment technologies and networking components, including Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), and Active Directory Domain Services (AD DS). It is also helpful to understand the Preboot eXecution Environment (also known as Pre-Execution Environment).

Answer 46

Server 5 Explanation: The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the Windows Deployment Services role in Server Manager.

Answer 47

a file screen ## Footnote Explanation: Create file screens to control the types of files that users can save, and generate notifications when users attempt to save unauthorized files. With File Server Resource Manager (FSRM) you can create file screens that prevent users from saving unauthorized files on volumes or folders. File Screen Enforcement: You can create file screens to prevent users from saving unauthorized files on volumes or folders. There are two types of file screen enforcement: active and passive enforcement. Active file screen enforcement does not allow the user to save an unauthorized file. Passive file screen enforcement allows the user to save the file, but notifies the user that the file is not an authorized file. You can configure notifications, such as events logged to the event log or e-mails sent to users and administrators, as part of active and passive file screen enforcement.

Answer 48

From a command prompt, run dsamain. exe -dbpath c: \ $snap\_201204131056\_volumec$\windows\ntds\ntds. dit -Idapport 33389. Explanation: By default, only members of the Domain Admins group and the Enterprise Admins group are allowed to view the snapshots because they contain sensitive AD DS data. If you want to access snapshot data from an old domain or forest that has been deleted, you can allow nonadministrators to access the data when you run Dsamain. exe. If you plan to view the snapshot data on a domain controller, specify ports that are different from the ports that the domain controller will use. A client starts an LDAP session by connecting to an LDAP server, called a Directory System Agent (DSA), by default on TCP port and UDP [7] port 389. The client then sends an operation request to the server, and the server sends responses in return. With some exceptions, the client does not need to wait for a response before sending the next request, and the server may send the responses in any order. All information is transmitted using Basic Encoding Rules (BER). http: //technet. microsoft. com/en-us/library/cc753609(v=ws. 10). aspx

Answer 49

From a command prompt, run the dsmgmt local roles command. Explanation: RODC: using the dsmgmt. exe utility to manage local administrators One of the benefits of of RODC is that you can add local administrators who do not have full access to the domain administration. This gives them the abiltiy to manage the server but not add or change active directory objects unless those roles are delegated. Adding this type of user is done using the dsmdmt. exe utility at the command prompt.

Answer 50

manage-bde -on e: Explanation: Manage-bde: on Encrypts the drive and turns on BitLocker. Example: The following example illustrates using the -on command to turn on BitLocker for drive C and add a recovery password to the drive. manage-bde on C: -recoverypassword

Answer 51

the Security settings of C: \Share1 Explanation: You can use Computer Management to track all connections to shared resources on a Windows Server 2008 R2 system. Whenever a user or computer connects to a shared resource, Windows Server 2008 R2 lists a connection in the Sessions node. File access, modification and deletion can only be tracked, if the object access auditing is enabled you can see the entries in event log. To view connections to shared resources, type net session at a command prompt or follow these steps: In Computer Management, connect to the computer on which you created the shared resource. 1. In the console tree, expand System Tools, expand Shared Folders, and then select Sessions. You can 2. now view connections to shares for users and computers. To enable folder permission auditing, you can follow the below steps: Click start and run "secpol. msc" without quotes. 1. Open the Local Policies\Audit Policy 2. Enable the Audit object access for "Success" and "Failure". 3. Go to target files and folders, right click the folder and select properties. 4. Go to Security Page and click Advanced. 5. Click Auditing and Edit. 6. Click add, type everyone in the Select User, Computer, or Group. 7. Choose Apply onto: This folder, subfolders and files. 8. Tick on the box "Change permissions" 9. Click OK. 10. After you enable security auditing on the folders, you should be able to see the folder permission changes in the server's Security event log. Task Category is File System. http: //social. technet. microsoft. com/Forums/en-US/winservergen/thread/13779c78-0c73-4477-8014- f2eb10f3f10f/ http: //technet. microsoft. com/en-us/library/cc753927(v=ws. 10). aspx http: //social. technet. microsoft. com/Forums/en-US/winservergen/thread/13779c78-0c73-4477-8014- f2eb10f3f10f/ http: //support. microsoft. com/kb/300549 http: //www. windowsitpro. com/article/permissions/auditing-folder-permission-changes http: //www. windowsitpro. com/article/permissions/auditing-permission-changes-on-a-folder

Answer 52

Add-BitLockerKeyProtector Explanation: 4. Add an Active Directory Security Identifier (SID) to the CSV disk using the Cluster Name Object (CNO) The Active Directory protector is a domain security identifier (SID) based protector for protecting clustered volumes held within the Active Directory infrastructure. It can be bound to a user account, machine account or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. For the cluster service to selfmanage BitLocker enabled disk volumes, an administrator must add the Cluster Name Object (CNO), which is the Active Directory identity associated with the Cluster Network name, as a BitLocker protector to the target disk volumes. Add-BitLockerKeyProtector -ADAccountOrGroupProtector ADAccountOrGroup $cno

Answer 53

A Name Suffix value of dal. contoso. com and a blank DNS Server Address value Explanation: Split-brain DNS is the use of the same DNS domain for both Internet and intranet resources. For example, the Contoso Corporation is using split brain DNS; contoso. com is the domain name for intranet resources and Internet resources. Internet users use http: //www. contoso. com to access Contoso's public Web site and Contoso employees on the Contoso intranet use http: //www. contoso. com to access Contoso's intranet Web site. A Contoso employee with their laptop that is not a DirectAccess client on the intranet that accesses http: //www. contoso. com sees the intranet Contoso Web site. When they take their laptop to the local coffee shop and access that same URL, they will see the public Contoso Web site. When a DirectAccess client is on the Internet, the Name Resolution Policy Table (NRPT) sends DNS name queries for intranet resources to intranet DNS servers. A typical NRPT for DirectAccess will have a rule for the namespace of the organization, such as contoso. com for the Contoso Corporation, with the Internet Protocol version 6 (IPv6) addresses of intranet DNS servers. With just this rule in the NRPT, when a user on a DirectAccess client on the Internet attempts to access the uniform resource locator (URL) for their Web site (such as http: //www. contoso. com), they will see the intranet version. Because of this rule, they will never see the public version of this URL when they are on the Internet. For split-brain DNS deployments, you must list the FQDNs that are duplicated on the Internet and intranet and decide which resources the DirectAccess client should reach, the intranet version or the public (Internet) version. For each name that corresponds to a resource for which you want DirectAccess clients to reach the public version, you must add the corresponding FQDN as an exemption rule to the NRPT for your DirectAccess clients. Name suffixes that do not have corresponding DNS servers are treated as exemptions. http: //technet. microsoft. com/en-us/library/ee382323(v=ws. 10). aspx

Answer 54

Create a network policy. ## Footnote Explanation: Network policies are sets of conditions, constraints, and settings that allow you to designate who is authorized to connect to the network and the circumstances under which they can or cannot connect. Network policies can be viewed as rules. Each rule has a set of conditions and settings. Configure your VPN server to use Network Access Protection (NAP) to enforce health requirement policies http: //technet. microsoft. com/en-us/library/hh831683. aspx http: //technet. microsoft. com/en-us/library/cc754107. aspx http: //technet. microsoft. com/en-us/library/dd314165%28v=ws. 10%29. aspx http: //technet. microsoft. com/en-us/windowsserver/dd448603. aspx http: //technet. microsoft. com/en-us/library/dd314165(v=ws. 10). aspx http: //technet. microsoft. com/en-us/library/dd469733. aspx http: //technet. microsoft. com/en-us/library/dd469660. aspx http: //technet. microsoft. com/en-us/library/cc753603. aspx http: //technet. microsoft. com/en-us/library/cc754033. aspx http: //technet. microsoft. com/en-us/windowsserver/dd448603. aspx

Answer 55

The Record time stamp value of the static resource records Explanation: Reset and permit them to use a current (non-zero) time stamp value. This enables these records to become aged and scavenged. You can use this procedure to change how a specific resource record is scavenged. A stale record is a record where both the No-Refresh Interval and Refresh Interval have passed without the time stamp updating. DNS-\>View-\>Advanced Depending on the how the resource record was originally added to the zone, do one of the following: If the record was added dynamically using dynamic update, clear the Delete this record when it becomes stale check box to prevent its aging or potential removal during the scavenging process. If dynamic updates to this record continue to occur, the Domain Name System (DNS) server will always reset this check box so that the dynamically updated record can be deleted. If you added the record statically, select the Delete this record when it becomes stale check box to permit its aging or potential removal during the scavenging process. http: //technet. microsoft. com/en-us/library/cc759204%28v=ws. 10%29. aspx http: //technet. microsoft. com/en-us/library/cc759204%28v=ws. 10%29. aspx Typically, stale DNS records occur when a computer is permanently removed from the network. Mobile users who abnormally disconnect from the network can also cause stale DNS records. To help manage stale records, Windows adds a time stamp to dynamically added resource records in primary zones where aging and scavenging are enabled. Manually added records are time stamped with a value of 0, and they are automatically excluded from the aging and scavenging process. To enable aging and scavenging, you must do the following: Resource records must be either dynamically added to zones or manually modified to be used in aging and scavenging operations. Scavenging and aging must be enabled both at the DNS server and on the zone. Scavenging is disabled by default. DNS scavenging depends on the following two settings: No-refresh interval: The time between the most recent refresh of a record time stamp and the moment when the time stamp can be refreshed again. When scavenging is enabled, this is set to 7 days by default. Refresh interval: The time between the earliest moment when a record time stamp can be refreshed and the earliest moment when the record can be scavenged. The refresh interval must be longer than the maximum record refresh period. When scavenging is enabled, this is set to 7 days by default. A DNS record becomes eligible for scavenging after both the no-refresh and refresh intervals have elapsed. If the default values are used, this is a total of 14 days. http: //technet. microsoft. com/en-us/library/cc759204%28v=ws. 10%29. aspx http: //technet. microsoft. com/en-us/library/cc759204%28v=ws. 10%29. aspx http: //technet. microsoft. com/en-us/library/cc771570. aspx http: //technet. microsoft. com/en-us/library/cc771677. aspx http: //technet. microsoft. com/en-us/library/cc758321(v=ws. 10). aspx

Answer 56

Create a zone delegation that points to Server2. Explanation: You can divide your Domain Name System (DNS) namespace into one or more zones. You can delegate management of part of your namespace to another location or department in your organization by delegating the management of the corresponding zone. For more information, see Understanding Zone Delegation

Answer 57

Right-click the contoso. com zone and click Transfer from Master. ## Footnote Explanation: Initiates zone transfer from secondary server Open DNS; In the console tree, right-click the applicable zone and click Transfer from master. http: //technet. microsoft. com/en-us/library/cc779391%28v=ws. 10%29. aspx http: //technet. microsoft. com/en-us/library/cc779391%28v=ws. 10%29. aspx http: //technet. microsoft. com/en-us/library/cc786985(v=ws. 10). aspx http: //technet. microsoft. com/en-us/library/cc779391(v=ws. 10). aspx

Answer 58

Group Policy Management Console (GPMC) Explanation: In the previous versions of Windows, this was accomplished by having the user run GPUpdate. exe on their computer. Starting with Windows Server® 2012 and Windows® 8, you can now remotely refresh Group Policy settings for all computers in an OU from one central location through the Group Policy Management Console (GPMC). Or you can use the Invoke-GPUpdatecmdlet to refresh Group Policy for a set of computers, not limited to the OU structure, for example, if the computers are located in the default computers container. http: //technet. microsoft. com/en-us//library/jj134201. aspx http: //blogs. technet. com/b/grouppolicy/archive/2012/11/27/group-policy-in-windows-server-2012- using-remote-gpupdate. aspx

Answer 59

Generate ADMX from ADM Explanation: The ADMX Migrator provides two conversion methods -- through the editor or through a command- line program. From the ADMX Editor, choose the option to Generate ADMX from ADM. Browse to your ADM file, and the tool quickly and automatically converts it. You then can open the converted file in the editor to examine its values and properties and modify it if you wish. The ADMX Migrator Command Window is a little more complicated; it requires you to type a lengthy command string at a prompt to perform the conversions. However, it includes some options and flexibility not available in the graphical editor. http: //technet. microsoft. com/pt-pt/magazine/2008. 02. utilityspotlight%28en-us%29. aspx http: //technet. microsoft. com/pt-pt/magazine/2008. 02. utilityspotlight%28en-us%29. aspx

Answer 60

Copy Template1. admx to \\Contoso. com\SYSVOL\Contoso. com\Policies\PolicyDefinitions\. Explanation: Unlike ADM files, ADMX files are not stored in individual GPOs. For domain-based enterprises, administrators can create a central store location of ADMX files that is accessible by anyone with permission to create or edit GPOs.

Answer 61

logman Explanation: You can enable NAP client tracing by using the command line. On computers running Windows Vista®, you can enable tracing by using the NAP Client Configuration console. NAP client tracing files are written in Event Trace Log (ETL) format. These are binary files representing trace data that must be decoded by Microsoft support personnel. Use the o option to specify the directory to which they are written. In the following example, files are written to %systemroot%\tracing\nap. For more information, see Logman (http: //go. microsoft. com/fwlink/?LinkId=143549). To create NAP event trace log files on a client computer Open a command line as an administrator. 1. Type 2. logman start QAgentRt -p {b0278a28-76f1-4e15-b1df-14b209a12613} 0xFFFFFFFF 9 -o %systemroot%\tracing\nap\QAgentRt. etl ets. Note: To troubleshoot problems with WSHA, use the following GUID: 789e8f15-0cbf-4402-b0ed- 0e22f90fdc8d. Reproduce the scenario that you are troubleshooting. 3. Type logman stop QAgentRt -ets. 4. Close the command prompt window. 5. http: //technet. microsoft. com/en-us/library/dd348461%28v=ws. 10%29. aspx

Answer 62

Change the Priority of NPS3 to 10. Explanation: Priority. Priority specifies the order of importance of the RADIUS server to the NPS proxy server. Priority level must be assigned a value that is an integer, such as 1, 2, or 3. The lower the number, the higher priority the NPS proxy gives to the RADIUS server. For example, if the RADIUS server is assigned the highest priority of 1, the NPS proxy sends connection requests to the RADIUS server first; if servers with priority 1 are not available, NPS then sends connection requests to RADIUS servers with priority 2, and so on. You can assign the same priority to multiple RADIUS servers, and then use the Weight setting to load balance between them.

Answer 63

The Authentication settings The User Name condition Explanation: The User Name attribute group contains the User Name attribute. By using this attribute, you can designate the user name, or a portion of the user name, that must match the user name supplied by the access client in the RADIUS message. This attribute is a character string that typically contains a realm name and a user account name. You can use pattern- matching syntax to specify user names. By using this setting, you can override the authentication settings that are configured in all network policies and you can designate the authentication methods and types that are required to connect to your network. Forward requests to the following remote RADIUS server group . By using this setting, NPS forwards connection requests to the remote RADIUS server group that you specify. If the NPS server receives a valid Access-Accept message that corresponds to the Access- Request message, the connection attempt is considered authenticated and authorized. In this case, the NPS server acts as a RADIUS proxy Connection request policies are sets of conditions and profile settings that give network administrators flexibility in configuring how incoming authentication and accounting request messages are handled by the IAS server. With connection request policies, you can create a series of policies so that some RADIUS request messages sent from RADIUS clients are processed locally (IAS is being used as a RADIUS server) and other types of messages are forwarded to another RADIUS server (IAS is being used as a RADIUS proxy). This capability allows IAS to be deployed in many new RADIUS scenarios. With connection request policies, you can use IAS as a RADIUS server or as a RADIUS proxy, based on the time of day and day of the week, by the realm name in the request, by the type of connection being requested, by the IP address of the RADIUS client, and so on. http: //technet. microsoft. com/en-us/library/cc757328. aspx http: //technet. microsoft. com/en-us/library/cc753603. aspx

Answer 64

A performance counter alert Explanation: Performance alerts notify you when a specified performance counter exceeds your configured threshold by logging an event to the event log. But rather than notifying you immediately when the counter exceeds the threshold, you can configure a time period over which the counter needs to exceed the threshold, to avoid unnecessary alerts.

Answer 65

Dism Explanation: You can use the Deployment Image Servicing and Management (DISM) tool to mount a Windows image from a WIM or VHD file. Mounting an image maps the contents of the image to a directory so that you can service the image using DISM without booting into the image. You can also perform common file operations, such as copying, pasting, and editing on a mounted image. To apply packages and updates to a Windows Embedded Standard 7 image, we recommend creating a configuration set and then using Deployment Imaging Servicing and Management (DISM) to install that configuration set. Although DISM can be used to install individual updates to an image, this method carries some additional risks and is not recommended.

Answer 66

A Performance Counter Alert System configuration information Explanation: Automatically run a program when the amount of total free disk space on Server1 drops below 10 percent of capacity. You can also configure alerts to start applications and performance logs Log the current values of several registry settings. System configuration information allows you to record the state of, and changes to, registry keys. Total free disk space Registry settings Run a program on alert http: //technet. microsoft. com/en-us/library/cc766404. aspx

Answer 67

Modify the properties of the install images.

Answer 68

Create and link a Group Policy object (GPO) to the ResearchServers OU. Explanation: For a domain, and you are on a member server or a workstation that is joined to the domain 1. Open Microsoft Management Console (MMC). 2. On the File menu, click Add/Remove Snap-in, and then click Add. 3. Click Group Policy Object Editor, and then click Add. 4. In Select Group Policy Object, click Browse. 5. In Browse for a Group Policy Object, select a Group Policy object (GPO) in the appropriate domain, site, or organizational unit--or create a new one, click OK, and then click Finish. 6. Click Close, and then click OK. 7. In the console tree, click Password Policy. Where? Group Policy Object [computer name] Policy/Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy 8. In the details pane, right-click the policy setting that you want, and then click Properties. 9. If you are defining this policy setting for the first time, select the Define this policy setting check box. 10. Select the options that you want, and then click OK.

Answer 69

Transfer the PDC emulator to DC2. Explanation: A deployed Windows Server 2012 domain controller (virtualized or physical) that hosts the PDC emulator role (DC1). To verify whether the PDC emulator role is hosted on a Windows Server 2012 domain controller, run the following Windows PowerShell command: Get-ADComputer (Get-ADDomainController Discover Service "PrimaryDC"). name Property operatingsystemversion | fl http: //technet. microsoft. com/en-us/library/hh831734. aspx#steps\_deploy\_vdc

Answer 70

Ldp Explanation: Use Ldp. exe to restore a single, deleted Active Directory object This feature takes advantage of the fact that Active Directory keeps deleted objects in the database for a period of time before physically removing them. use Ldp. exe to restore a single, deleted Active Directory object The LPD. exe tool, included with Windows Server 2012, allows users to perform operations against any LDAP-compatible directory, including Active Directory. LDP is used to view objects stored in Active Directory along with their metadata, such as security descriptors and replication metadata. http: //www. petri. co. il/manually-undeleting-objects-windows-active-directory-ad. htm http: //www. petri. co. il/manually-undeleting-objects-windows-active-directory-ad. htm http: //technet. microsoft. com/en-us/magazine/2007. 09. tombstones. aspx http: //technet. microsoft. com/nl-nl/library/dd379509(v=ws. 10). aspx#BKMK\_2 http: //technet. microsoft. com/en-us/library/hh875546. aspx http: //technet. microsoft. com/en-us/library/dd560651(v=ws. 10). aspx

Answer 71

Adsiedit. msc Explanation: How to perform a non-authoritative synchronization of DFSR-replicated SYSVOL (like "D2" for FRS) In the ADSIEDIT. MSC tool modify the following distinguished name (DN) value and attribute on 1. each of the domain controllers that you want to make non-authoritative: CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=,OU=Domain Controllers,DC=
msDFSR-Enabled=FALSE Force Active Directory replication throughout the domain. 2. Run the following command from an elevated command prompt on the same servers that you set as 3. non-authoritative: DFSRDIAG POLLAD You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated. 4. On the same DN from Step 1, set: 5. msDFSR-Enabled=TRUE Force Active Directory replication throughout the domain. 6. Run the following command from an elevated command prompt on the same servers that you set as 7. non-authoritative: DFSRDIAG POLLAD You will see Event ID 4614 and 4604 in the DFSR event log indicating SYSVOL has been 8. initialized. That domain controller has now done a "D2" of SYSVOL. Note: Active Directory Service Interfaces Editor (ADSI Edit) is a Lightweight Directory Access Protocol (LDAP) editor that you can use to manage objects and attributes in Active Directory. ADSI Edit (adsiedit. msc) provides a view of every object and attribute in an Active Directory forest. You can use ADSI Edit to query, view, and edit attributes that are not exposed through other Active Directory Microsoft Management Console (MMC) snap- ins: Active Directory Users and Computers, Active Directory Sites and Services, Active Directory Domains and Trusts, and Active Directory Schema.

Answer 72

Right-click the Sales OU and select Delegate Control. Explanation: G\_HelpDesk members need to be allowed to delegate control on the Sales OU as it contains the sales users (G\_Sales) You can use the Delegation of Control Wizard to delegate the Reset Password permission to the delegated user. http: //support. microsoft. com/kb/296999/en-us http: //support. microsoft. com/kb/296999/en-us http: //technet. microsoft. com/en-us/library/cc732524. aspx

Answer 73

In D: \Windows\NTDS\, create an XML file named CustomDCCloneAllowList. xml and add the application information to the file. Explanation: Place the CustomDCCloneAllowList. xml file in the same folder as the Active Directory database (ntds. dit) on the source Domain Controller. http: //blogs. dirteam. com/blogs/sanderberkouwer/archive/2012/09/10/new-features-in-active- directory-domain-services-in-windows-server-2012-part-13-domain-controller-cloning. aspx http: //www. thomasmaurer. ch/2012/08/windows-server-2012-hyper-v-how-to-clone-a-virtual-domain- controller http: //technet. microsoft. com/en-us/library/hh831734. aspx

Answer 74

Configure a Service Principal Name (SPN) for User1. Explanation: If you cannot see the Delegation tab, do one or both of the following: Register a Service Principal Name (SPN) for the user account with the Setspn utility in the support tools on your CD. Delegation is only intended to be used by service accounts, which should have registered SPNs, as opposed to a regular user account which typically does not have SPNs. Raise the functional level of your domain to Windows Server 2003. For more information, see Related Topics. http: //blogs. msdn. com/b/mattlind/archive/2010/01/14/delegation-tab-in-aduc-not-available-until-a- spn-is-set. aspx http: //blogs. msdn. com/b/mattlind/archive/2010/01/14/delegation-tab-in-aduc-not-available-until-a- spn-is-set. aspx http: //technet. microsoft. com/en-us/library/cc739474(v=ws. 10). aspx http: //blogs. msdn. com/b/mattlind/archive/2010/01/14/delegation-tab-in-aduc-not-available-until-a- spn-is-set. aspx

Answer 75

From Active Directory Administrative Center, modify the security settings of PSO1. Explanation: PSOs cannot be applied to organizational units (OUs) directly. If your users are organized into OUs, consider creating global security groups that contain the users from these OUs and then applying the newly defined finegrained password and account lockout policies to them. If you move a user from one OU to another, you must update user memberships in the corresponding global security groups. Go ahead and hit "OK" and then close out of all open windows. Now that you have created a password policy, we need to apply it to a user/group. In order to do so, you must have "write" permissions on the PSO object. We're doing this in a lab, so I'm Domain Admin. Write permissions are not a problem : ) 1. Open Active Directory Users and Computers (Start, point to Administrative Tools, and then click Active Directory Users and Computers). 2. On the View menu, ensure that Advanced Features is checked. 3. In the console tree, expand Active Directory Users and Computers\yourdomain\System\Password Settings Container 4. In the details pane, right-click the PSO, and then click Properties. 5. Click the Attribute Editor tab. 6. Select the msDS-PsoAppliesTo attribute, and then click Edit.

Answer 76

On all of the client computers, configure the EnableDiscovery registry key. In a GPO, modify the Request Policy setting for the NAP Client Configuration. On DC1, create a service location (SRV) record. Explanation: Requirements for HRA automatic discovery The following requirements must be met in order to configure trusted server groups on NAP client computers using HRA automatic discovery: Client computers must be running Windows Vista® with Service Pack 1 (SP1) or Windows XP with Service Pack 3 (SP3). The HRA server must be configured with a Secure Sockets Layer (SSL) certificate. The EnableDiscovery registry key must be configured on NAP client computers. DNS SRV records must be configured. The trusted server group configuration in either local policy or Group Policy must be cleared. http: //technet. microsoft. com/en-us/library/dd296901. aspx

Answer 77

B. Remote RADIUS server groups C. Connection request policies Explanation: To configure NPS as a RADIUS proxy, you must create a connection request policy that contains all of the information required for NPS to evaluate which messages to forward and where to send the messages. When you configure Network Policy Server (NPS) as a Remote Authentication Dial-In User Service (RADIUS) proxy, you use NPS to forward connection requests to RADIUS servers that are capable of processing the connection requests because they can perform authentication and authorization in the domain where the user or computer account is located. For example, if you want to forward connection requests to one or more RADIUS servers in untrusted domains, you can configure NPS as a RADIUS proxy to forward the requests to the remote RADIUS servers in the untrusted domain. To configure NPS as a RADIUS proxy, you must create a connection request policy that contains all of the information required for NPS to evaluate which messages to forward and where to send the messages. When you configure a remote RADIUS server group in NPS and you configure a connection request policy with the group, you are designating the location where NPS is to forward connection requests. http: //technet. microsoft. com/en-us/library/cc754518. aspx http: //technet. microsoft. com/en-us/library/cc754518. aspx http: //technet. microsoft. com/en-us/library/cc754518. aspx

Answer 78

B. PEAP-MS-CHAP v2 ## Footnote D. EAP-TLS Explanation: PEAP is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication, and uses server-side public key certificates to authenticate the server. When you use EAP with a strong EAP type, such as TLS with smart cards or TLS with certificates, both the client and the server use certificates to verify their identities to each other.

Answer 79

From the properties of each user account, configure the User profile settings. Explanation: If a computer is running Windows 2000 Server or later on a network, users can store their profiles on the server. These profiles are called roaming user profiles.

Answer 80

Group Policy Management Console Starting with Windows Server® 2012 and Windows® 8, you can now remotely refresh Group Policy settings for all computers in an OU from one central location through the Group Policy Management Console (GPMC). Or you can use the Invoke-GPUpdatecmdlet to refresh Group Policy for a set of computers, not limited to the OU structure, for example, if the computers are located in the default computers container. http: //technet. microsoft. com/en-us//library/jj134201. aspx http: //blogs. technet. com/b/grouppolicy/archive/2012/11/27/group-policy-in-windows-server-2012- using-remote-gpupdate. aspx

Answer 81

Environment Explanation: Environment Variable preference items allow you to create, update, replace, and delete user and system environment variables or semicolon-delimited segments of the PATH variable. Before you create an Environment Variable preference item, you should review the behavior of each type of action possible with this extension.

Answer 82

Robocopy.exe Explanation: By preseeding files before you set up DFS Replication, add a new replication partner, or replace a server, you can speed up initial synchronization and enable cloning of the DFS Replication database in Windows Server 2012 R2. The Robocopy method is one of several preseeding methods

Answer 83

The schedule of the replication group Explanation: Scheduling allows less bandwidth the by limiting the time interval of the replication Does DFS Replication throttle bandwidth per schedule, per server, or per connection? If you configure bandwidth throttling when specifying the schedule, all connections for that replication group will use that setting for bandwidth throttling. Bandwidth throttling can be also set as a connection-level setting using DFS Management. To edit the schedule and bandwidth for a specific connection, use the following steps: In the console tree under the Replication node, select the appropriate replication group. Click the Connections tab, right-click the connection that you want to edit, and then click Properties. Click the Schedule tab, select Custom connection schedule and then click Edit Schedule. Use the Edit Schedule dialog box to control when replication occurs, as well as the maximum amount of bandwidth replication can consume.

Answer 84

Create a condition. Explanation: Create a File Expiration Task The following procedure guides you through the process of creating a file management task for expiring files. File expiration tasks are used to automatically move all files that match certain criteria to a specified expiration directory, where an administrator can then back those files up and delete them. Property conditions. Click Add to create a new condition based on the file's classification. This will open the Property Condition dialog box, which allows you to select a property, an operator to perform on the property, and the value to compare the property against. After clicking OK, you can then create additional conditions, or edit or remove an existing condition.

Answer 85

Users & Global groups ## Footnote Explanation: First off, your domain functional level must be at Windows Server 2008. Second, Fine-grained password policies ONLY apply to user objects, and global security groups. Linking them to universal or domain local groups is ineffective. I know what you're thinking, what about OU's? Nope, Fine- grained password policy cannot be applied to an organizational unit (OU) directly. The third thing to keep in mind is, by default only members of the Domain Admins group can set fine-grained password policies. However, you can delegate this ability to other users if needed. Fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of user objects) and global security groups. You can apply Password Settings objects (PSOs) to users or global security groups: http: //technet. microsoft. com/en-us/library/cc731589%28v=ws. 10%29. aspx http: //technet. microsoft. com/en-us/library/cc731589%28v=ws. 10%29. aspx http: //technet. microsoft. com/en-us/library/cc770848%28v=ws. 10%29. aspx http: //www. brandonlawson. com/active-directory/creating-fine-grained-password-policies/

Answer 86

Add-ClusterVmMonitoredItem Explanation: The Add-ClusterVMMonitoredItem cmdlet configures monitoring for a service or an Event Tracing for Windows (ETW) event so that it is monitored on a virtual machine. If the service fails or the event occurs, then the system responds by taking an action based on the failover configuration for the virtual machine resource. For example, the configuration might specify that the virtual machine be restarted.

Answer 87

Install a server certificate. Run the wsusutil. exe command. From Internet Information Services (IIS) Manager, modify the bindings of the WSUS website. Explanation: Certficate needs to be installed to IIS, Bindings modifies and wsutil run. 1. First we need to request a certificate for the WSUS web site, so open IIS, click the server name, then open Server Certificates. On the Actions pane click Create Domain Certificate. 2. To add the signing certificate to the WSUS Web site in IIS 7. 0 On the WSUS server, open Internet Information Services (IIS) Manager. Expand Sites, right-click the WSUS Web site, and then click Edit Bindings. In the Site Binding dialog box, select the https binding, and click Edit to open the Edit Site Binding dialog box. Select the appropriate Web server certificate in the SSL certificate box, and then click OK. Click Close to exit the Site Bindings dialog box, and then click OK to close Internet Information Services (IIS) Manager. 3. WSUSUtil. exe configuressl (the name in your certificate)
WSUSUtil. exe configuressl. 4. The next step is to point your clients to the correct url, by modifying the existing GPO or creating a new one. Open the policy Specify intranet Microsoft update service location and type the new url in the form https: //YourWSUSserver. The gpupdate /force command will just download all the GPO's and re-apply them to the client, it won't force the client to check for updates. For that you need to use wuauclt /resetautorization /detectnow followed by wuauclt /reportnow http: //technet. microsoft. com/en-us/library/bb680861. aspx http: //technet. microsoft. com/en-us/library/bb633246. aspx http: //www. vkernel. ro/blog/configure-wsus-to-use-ssl

Answer 88

Driver malfunction Explanation: Processor: %DPC Time. Much like the other values, this counter shows the amount of time that the processor spends servicing DPC requests. DPC requests are more often than not associated with the network interface. Processor : % Interrupt Time. This is the percentage of time that the processor is spending on handling Interrupts. Generally, if this value exceeds 50% of the processor time you may have a hardware issue. Some components on the computer can force this issue and not really be a problem. For example a programmable I/O card like an old disk controller card, can take up to 40% of the CPU time. A NIC on a busy IIS server can likewise generate a large percentage of processor activity. Processor : % User Time. The value of this counter helps to determine the kind of processing that is affecting the system. Of course the resulting value is the total amount of non-idle time that was spent on User mode operations. This generally means application code. Processor : %Privilege Time. This is the amount of time the processor was busy with Kernel mode operations. If the processor is very busy and this mode is high, it is usually an indication of some type of NT service having difficulty, although user mode programs can make calls to the Kernel mode NT components to occasionally cause this type of performance issue. Memory : Pages/sec. This value is often confused with Page Faults/sec. The Pages/sec counter is a combination of Pages Input/sec and Pages Output/sec counters. Recall that Page Faults/sec is a combination of hard page faults and soft page faults. This counter, however, is a general indicator of how often the system is using the hard drive to store or retrieve memory associated data. http: //technet. microsoft. com/en-us/library/cc768048. aspx

Answer 89

From the Recovery settings of Service1, set the First failure recovery action to Take No Action. Explanation: Configure the virtual machine to take no action through Hyper-V if the physical computer shuts down by modifying the Automatic Stop Action setting to None. Virtual machine state must be managed through the Failover Clustering feature. Virtual machine application monitoring and management In clusters running Windows Server 2012, administrators can monitor services on clustered virtual machines that are also running Windows Server 2012. This functionality extends the high-level monitoring of virtual machines that is implemented in Windows Server 2008 R2 failover clusters. If a monitored service in a virtual machine fails, the service can be restarted, or the clustered virtual machine can be restarted or moved to another node (depending on service restart settings and cluster failover settings). This feature increases the uptime of high availability services that are running on virtual machines within a failover cluster. Windows Server 2012 Failover Cluster introduces a new capability for Hyper-V virtual machines (VMs), which is a basic monitoring of a service within the VM which causes the VM to be rebooted should the monitored service fail three times. For this feature to work the following must be configured: Both the Hyper-V servers must be Windows Server 2012 and the guest OS running in theVM must be Windows Server 2012. The host and guest OSs are in the same or at least trusting domains. The Failover Cluster administrator must be a member of the local administrator's group inside the VM. Ensure the service being monitored is set to Take No Action (see screen shot below) within the guest VM for Subsequent failures (which is used after the first and second failures) and is set via the Recovery tab of the service properties within the Services application (services. msc). Within the guest VM, ensure the Virtual Machine Monitoring firewall exception is enabled for the Domain network by using the Windows Firewall with Advanced Security application or by using the Windows PowerShell command below: Set-NetFirewallRule -DisplayGroup "Virtual Machine Monitoring" -Enabled True After the above is true, enabling the monitoring is a simple process: Launch the Failover Cluster Manager tool. 1. Navigate to the cluster - Roles. 2. Right click on the virtual machine role you wish to enable monitoring for and under More Actions 3. select Configure Monitoring. . . The services running inside the VM will be gathered and check the box for the services that should 4. be monitored and click OK. You are done! Monitoring can also be enabled using the Add-ClusterVMMonitoredItemcmdlet and -VirtualMachine, with the -Service parameters, as the example below shows: PS C: \Windows\system32\> Add- ClusterVMMonitoredItem -VirtualMachine savdaltst01 -Service spooler http: //sportstoday. us/technology/windows-server-2012---continuous-availability-%28part-4%29--- failover-clustering-enhancements---virtual-machine-monitoring-. aspx http: //windowsitpro. com/windows-server-2012/enable-windows-server-2012-failover-cluster-hyper-v- vm-monitoring http: //technet. microsoft. com/en-us/library/cc742396. aspx

Answer 90

Start of authority (SOA) Explanation: A SOA-record defines the responsible person for an entire zone, but a zone may contain many individual hosts / domain names for which different people are responsible. The RP-record type makes it possible to identify the responsible person for individual host names contained within the zone.

Answer 91

A stub zone Explanation: A stub zone is a copy of a zone that contains only those resource records necessary to identify the authoritative Domain Name System (DNS) servers for that zone. A stub zone is used to resolve names between separate DNS namespaces. This type of resolution may be necessary when a corporate merger requires that the DNS servers for two separate DNS namespaces resolve names for clients in both namespaces.

Answer 92

Route add -p 10. 10. 10. 0 MASK 255. 255. 255. 0 172. 23. 16. 2 METRIC 100 Explanation: destination - specifies either an IP address or host name for the network or host. subnetmask - specifies a subnet mask to be associated with this route entry. If subnetmask is not specified, 255. 255. 255. 255 is used. gateway - specifies either an IP address or host name for the gateway or router to use when forwarding. costmetric - assigns an integer cost metric (ranging from 1 through 9,999) to be used in calculating the fastest, most reliable, and/or least expensive routes. If costmetric is not specified, 1 is used. interface - specifies the interface to be used for the route that uses the interface number. If an interface is not specified, the interface to be used for the route is determined from the gateway IP address. http: //support. microsoft. com/kb/299540/en-us http: //technet. microsoft. com/en-us/library/cc757323%28v=ws. 10%29. aspx

Answer 93

From the properties of the zone, change the zone type. Explanation: The Zone would need to be changed to a AD integrated zone When you use directory-integrated zones, you can use access control list (ACL) editing to secure a dnsZone object container in the directory tree. This feature provides detailed access to either the zone or a specified resource record in the zone. For example, an ACL for a zone resource record can be restricted so that dynamic updates are allowed only for a specified client computer or a secure group, such as a domain administrators group. This security feature is not available with standard primary zones DNS update security is available only for zones that are integrated into Active Directory. After you integrate a zone, you can use the access control list (ACL) editing features that are available in the DNS snap-in to add or to remove users or groups from the ACL for a specific zone or for a resource record. Standard (not an Active Directory integrated zone) has no Security settings: You need to firstly change the "Standard Primary Zone" to AD Integrated Zone: Now there's Security tab: http: //technet. microsoft. com/en-us/library/cc753014. aspx http: //technet. microsoft. com/en-us/library/cc726034. aspx http: //support. microsoft. com/kb/816101

Answer 94

In Servers GPO, modify the Advanced Audit Configuration settings. Explanation: When you use Advanced Audit Policy Configuration settings, you need to confirm that these settings are not overwritten by basic audit policy settings. The following procedure shows how to prevent conflicts by blocking the application of any basic audit policy settings. Enabling Advanced Audit Policy Configuration Basic and advanced audit policy configurations should not be mixed. As such, it's best practice to enable Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings in Group Policy to make sure that basic auditing is disabled. The setting can be found under Computer Configuration\Policies\Security Settings\Local Policies\Security Options, and sets the SCENoApplyLegacyAuditPolicy registry key to prevent basic auditing being applied using Group Policy and the Local Security Policy MMC snap-in. In Windows 7 and Windows Server 2008 R2, the number of audit settings for which success and failure can be tracked has increased to 53. Previously, there were nine basic auditing settings under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy. These 53 new settings allow you to select only the behaviors that you want to monitor and exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive number of log entries. In addition, because Windows 7 and Windows Server 2008 R2 security audit policy can be applied by using domain Group Policy, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity. Audit Policy settings Any changes to user account and resource permissions. Any failed attempts for user logon. Any failed attempts for resource access. Any modification to the system files. Advanced Audit Configuration Settings Audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as: A group administrator has modified settings or data on servers that contain finance information. An employee within a defined group has accessed an important file. The correct system access control list (SACL) is applied to every file and folder or registry key on a computer or file share as a verifiable safeguard against undetected access. In Servers GPO, modify the Audit Policy settings - enabling audit account management setting will generate events about account creation, deletion and so on. Advanced Audit Configuration Settings Advanced Audit Configuration Settings -\>Audit Policy -\> Account Management -\> Audit User Account Management In Servers GPO, modify the Audit Policy settings - enabling audit account management setting will generate events about account creation, deletion and so on. http: //blogs. technet. com/b/abizerh/archive/2010/05/27/tracing-down-user-and-computer-account- deletion-in-active-directory. aspx http: //technet. microsoft. com/en-us/library/dd772623%28v=ws. 10%29. aspx http: //technet. microsoft. com/en-us/library/jj852202(v=ws. 10). aspx http: //www. petri. co. il/enable-advanced-audit-policy-configuration-windows-server. htm http: //technet. microsoft. com/en-us/library/dd408940%28v=ws. 10%29. aspx http: //technet. microsoft. com/en-us/library/dd408940%28v=ws. 10%29. aspx#BKMK\_step2

Answer 95

In GPO1, configure the Advanced Audit Policy Configuration settings for Audit User Account Management. Link GPO1 to the Domain Controllers organizational unit (OU). Explanation: Audit User Account Management This security policy setting determines whether the operating system generates audit events when the following user account management tasks are performed: A user account is created, changed, deleted, renamed, disabled, enabled, locked out, or unlocked. A user account password is set or changed. Security identifier (SID) history is added to a user account. The Directory Services Restore Mode password is set. Permissions on accounts that are members of administrators groups are changed. Credential Manager credentials are backed up or restored. This policy setting is essential for tracking events that involve provisioning and managing user accounts.

Answer 96

Configure the File Server Resource Manager Options. Explanation: When you create quotas and file screens, you have the option of sending e-mail notifications to users when their quota limit is approaching or after they have attempted to save files that have been blocked. If you want to routinely notify certain administrators of quota and file screening events, you can configure one or more default recipients. To send these notifications, you must specify the SMTP server to be used for forwarding the e-mail messages. To configure e-mail options In the console tree, right-click File Server Resource Manager, and then click Configure options. The File Server Resource Manager Options dialog box opens. On the E-mail Notifications tab, under SMTP server name or IP address, type the host name or the IP address of the SMTP server that will forward e-mail notifications. If you want to routinely notify certain administrators of quota or file screening events, under Default administrator recipients, type each e-mail address. Use the format account@domain. Use semicolons to separate multiple accounts. To test your settings, click Send Test E-mail.

Answer 97

Create a namespace. Share and publish the replicated folder. Modify the Referrals settings. Explanation: To share a replicated folder and publish it to a DFS namespace Click Start, point to Administrative Tools, and then click DFS Management. In the console tree, under the Replication node, click the replication group that contains the replicated folder you want to share. In the details pane, on the Replicated Folders tab, right-click the replicated folder that you want to share, and then click Share and Publish in Namespace. In the Share and Publish Replicated Folder Wizard, click Share and publish the replicated folder in a namespace, and then follow the steps in the wizard. Note that: If you do not have an existing namespace, you can create one in the Namespace Path page in the Share and Publish Replicated Folder Wizard. To create the namespace, in the Namespace Path page, click Browse, and then click New Namespace. To create a namespace Click Start, point to Administrative Tools, and then click DFS Management. In the console tree, right-click the Namespaces node, and then click New Namespace. Follow the instructions in the New Namespace Wizard. To create a stand-alone namespace on a failover cluster, specify the name of a clustered file server instance on the Namespace Server page of the New Namespace Wizard. Important Do not attempt to create a domain-based namespace using the Windows Server 2008 mode unless the forest functional level is Windows Server 2003 or higher. Doing so can result in a namespace for which you cannot delete DFS folders, yielding the following error message: "The folder cannot be deleted. Cannot complete this function. " To share a replicated folder and publish it to a DFS namespace 1. Click Start, point to Administrative Tools, and then click DFS Management. 2. In the console tree, under the Replication node, click the replication group that contains the replicated folder you want to share. 3. In the details pane, on the Replicated Folders tab, right-click the replicated folder that you want to share, and then click Share and Publish in Namespace. 4. In the Share and Publish Replicated Folder Wizard, click Share and publish the replicated folder in a namespace, and then follow the steps in the wizard. "You need to ensure that users connect to the replicated folder in their respective office when they connect to \\contoso. com\Share1" http: //technet. microsoft. com/en-us/library/cc731531. aspx http: //technet. microsoft. com/en-us/library/cc772778%28v=ws. 10%29. aspx http: //technet. microsoft. com/en-us/library/cc732414. aspx http: //technet. microsoft. com/en-us/library/cc772379. aspx http: //technet. microsoft. com/en-us/library/cc732863%28v=ws. 10%29. aspx http: //technet. microsoft. com/en-us/library/cc725830. aspx http: //technet. microsoft. com/en-us/library/cc771978. aspx

Answer 98

a storage report task Explanation: From the Storage Reports Management node, you can generate reports that will help you understand file use on the storage server. You can use the storage reports to monitor disk usage patterns (by file type or user), identify duplicate files and dormant files, track quota usage, and audit file screening. Before you run a File Screen Audit report, in the File Server Resource Manager Options dialog box, on the File Screen Audit tab, verify that the Record file screening activity in the auditing database check box is selected. http: //technet. microsoft. com/en-us/library/cc755988. aspx http: //technet. microsoft. com/en-us/library/cc730822. aspx http: //technet. microsoft. com/en-us/library/cc770594. aspx http: //technet. microsoft. com/en-us/library/cc771212. aspx http: //technet. microsoft. com/en-us/library/cc732074. aspx

Answer 99

Create an application directory partition. Explanation: Application directory partitions An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition.

Answer 100

Configure DirectAccess to enable force tunneling. Explanation: With IPv6 and the Name Resolution Policy Table (NRPT), by default, DirectAccess clients separate their intranet and Internet traffic as follows: DNS name queries for intranet fully qualified domain names (FQDNs) and all intranet traffic is exchanged over the tunnels that are created with the DirectAccess server or directly with intranet servers. Intranet traffic from DirectAccess clients is IPv6 traffic. DNS name queries for FQDNs that correspond to exemption rules or do not match the intranet namespace, and all traffic to Internet servers, is exchanged over the physical interface that is connected to the Internet. Internet traffic from DirectAccess clients is typically IPv4 traffic. In contrast, by default, some remote access virtual private network (VPN) implementations, including the VPN client, send all intranet and Internet traffic over the remote access VPN connection. Internet- bound traffic is routed by the VPN server to intranet IPv4 web proxy servers for access to IPv4 Internet resources. It is possible to separate the intranet and Internet traffic for remote access VPN clients by using split tunneling. This involves configuring the Internet Protocol (IP) routing table on VPN clients so that traffic to intranet locations is sent over the VPN connection, and traffic to all other locations is sent by using the physical interface that is connected to the Internet. You can configure DirectAccess clients to send all of their traffic through the tunnels to the DirectAccess server with force tunneling. When force tunneling is configured, DirectAccess clients detect that they are on the Internet, and they remove their IPv4 default route. With the exception of local subnet traffic, all traffic sent by the DirectAccess client is IPv6 traffic that goes through tunnels to the DirectAccess server.

Answer 101

3 ## Footnote Explanation: To create DNS Host (A) Records for all internal pool servers 1. Click Stabrt, click All Programs, click Administrative Tools, and then click DNS. 2. In DNS Manager, click the DNS Server that manages your records to expand it. 3. Click Forward Lookup Zones to expand it. 4. Right-click the DNS domain that you need to add records to, and then click New Host (A or AAAA). 5. In the Name box, type the name of the host record (the domain name will be automatically appended). 6. In the IP Address box, type the IP address of the individual Front End Server and then select Create associated pointer (PTR) record or Allow any authenticated user to update DNS records with the same owner name, if applicable. 7. Continue creating records for all member Front End Servers that will participate in DNS Load Balancing. For example, if you had a pool named pool1. contoso. com and three Front End Servers, you would create the following DNS entries: http: //technet. microsoft. com/en-us/library/cc772506. aspx http: //technet. microsoft. com/en-us/library/gg398251. aspx

Answer 102

Dsamain Explanation: dsamain /dbpath E: \$SNAP\_200704181137\_VOLUMED$\WINDOWS\NTDS\ntds. dit /ldapport51389 http: //technet. microsoft. com/en-us/library/cc753609(v=ws. 10). aspx

Answer 103

Active Directory Administrative Center Explanation: In Windows Server 2012, fine-grained password policy management is made much easier than Windows Server 2008/2008 R2. Windows Administrators not have to use ADSI Edit and configure complicated settings to create the Password Settings Object (PSO) in the Password Settings Container. Instead we can configure fine-grained password policy directly in Active Directory Administrative Center (ADAC).

Answer 104

Copy App1. admx to \\Contoso. com\SYSVOL\Contoso. com\Policies\PolicyDefinitions\. Explanation: To take advantage of the benefits of . admx files, you must create a Central Store in the SYSVOL folder on a domain controller. The Central Store is a file location that is checked by the Group Policy tools. The Group Policy tools use any . admx files that are in the Central Store. The files that are in the Central Store are later replicated to all domain controllers in the domain.

Answer 105

From a command prompt, run wsusutil. exe and specify the movecontent parameter. You might need to change the location where WSUS stores updates locally. This might be required if the disk becomes full and there is no longer any room for new updates. You might also have to do this if the disk where updates are stored fails and the replacement disk uses a new drive letter. You accomplish this move with the movecontent command of WSUSutil. exe, a command-line tool that is copied to the file system of the WSUS server during WSUS Setup. By default, Setup copies WSUSutil. exe to the following location: WSUSInstallationDrive: \Program Files\Microsoft Windows Server Update Services\Tools\

Answer 106

A performance counter alert Explanation: Performance alerts notify you when a specified performance counter exceeds your configured threshold by logging an event to the event log. But rather than notifying you immediately when the counter exceeds the threshold, you can configure a time period over which the counter needs to exceed the threshold, to avoid unnecessary alerts.

Answer 107

New-NpsRadiusClient Explanation: New-NpsRadiusClient -Name "NameOfMyClientGroup" -Address "10. 1. 0. 0/16" -AuthAttributeRequired 0 -NapCompatible 0 -SharedSecret "SuperSharedSecretxyz" -VendorName "RADIUS Standard" http: //technet. microsoft. com/en-us/library/hh918425(v=wps. 620). aspx http: //technet. microsoft. com/en-us/library/jj872740(v=wps. 620). aspx http: //technet. microsoft. com/en-us/library/dd469790. aspx

Answer 108

A connection request policy that uses EAP-MSCHAP v2 authentication Explanation: 802. 1X uses EAP, EAP-TLS, EAP-MS-CHAP v2, and PEAP authentication methods: EAP (Extensible Authentication Protocol) uses an arbitrary authentication method, such as certificates, smart cards, or credentials. EAP-TLS (EAP-Transport Layer Security) is an EAP type that is used in certificate- based security environments, and it provides the strongest authentication and key determination method. EAP-MS-CHAP v2 (EAP-Microsoft Challenge Handshake Authentication Protocol version 2) is a mutual authentication method that supports password-based user or computer authentication. PEAP (Protected EAP) is an authentication method that uses TLS to enhance the security of other EAP authentication protocols. Connection request policies are sets of conditions and settings that allow network administrators to designate which Remote Authentication Dial-In User Service (RADIUS) servers perform the authentication and authorization of connection requests that the server running Network Policy Server (NPS) receives from RADIUS clients. Connection request policies can be configured to designate which RADIUS servers are used for RADIUS accounting. With connection request policies, you can use NPS as a RADIUS server or as a RADIUS proxy, based on factors such as the following: The time of day and day of the week The realm name in the connection request The type of connection being requested The IP address of the RADIUS client

Answer 109

A computer certificate Explanation: Configure NAP enforcement for VPN This checklist provides the steps required to deploy computers with Routing and Remote Access Service installed and configured as VPN servers with Network Policy Server (NPS) and Network Access Protection (NAP).

Answer 110

From the Update Files and Languages options, configure the Update Files settings. Explanation: To specify whether express installation files are downloaded during synchronization In the left pane of the WSUS Administration console, click Options. In Update Files and Languages, click the Update Files tab. If you want to download express installation files, select the Download express installation files check box. If you do not want to download express installation files, clear the check box. http: //technet. microsoft. com/en-us/library/cc708431. aspx http: //technet. microsoft. com/en-us/library/cc708431. aspx

Answer 111

Tunnel-Type, Tunnel-Tag, Tunnel-Medium-Type, and Tunnel-Pvt-Group-ID Explanation: VLAN attributes used in network policy When you use network hardware, such as routers, switches, and access controllers that support virtual local area networks (VLANs), you can configure Network Policy Server (NPS) network policy to instruct the access servers to place members of Active Directory® groups on VLANs. Before configuring network policy in NPS for VLANs, create groups of users in Active Directory Domain Services (AD DS) that you want to assign to specific VLANs. Then when you run the New Network Policy wizard, add the Active Directory group as a condition of the network policy. You can create a separate network policy for each group that you want to assign to a VLAN. For more information, see Create a Group for a Network Policy. When you configure network policy for use with VLANs, you must configure the RADIUS standard attributes Tunnel-Medium-Type, Tunnel-Pvt- Group-ID, and Tunnel-Type. Some hardware vendors also require the use of the RADIUS standard attribute Tunnel-Tag. To configure these attributes in a network policy, use the New Network Policy wizard to create a network policy. You can add the attributes to the network policy settings while running the wizard or after you have successfully created a policy with the wizard. Tunnel-Medium-Type. Select a value appropriate to the previous selections you made while running the New Network Policy wizard. For example, if the network policy you are configuring is a wireless policy, in Attribute Value, select 802 (Includes all 802 media plus Ethernet canonical format). Tunnel-Pvt-Group-ID. Enter the integer that represents the VLAN number to which group members will be assigned. For example, if you want to create a Sales VLAN for your sales team by assigning team members to VLAN 4, type the number 4. Tunnel-Type. Select the value Virtual LANs (VLAN). Tunnel-Tag. Some hardware devices do not require this attribute. If your hardware device requires this attribute, obtain this value from your hardware documentation.

Answer 112

The netsh. exe command Explanation: NPS trace logging files You can use log files on servers running Network Policy Server (NPS) and NAP client computers to help troubleshoot NAP problems. Log files can provide the detailed information required for troubleshooting complex problems. You can capture detailed information in log files on servers running NPS by enabling remote access tracing. The Remote Access service does not need to be installed or running to use remote access tracing. When you enable tracing on a server running NPS, several log files are created in %windir %\tracing. The following log files contain helpful information about NAP: IASNAP. LOG: Contains detailed information about NAP processes, NPS authentication, and NPS authorization. IASSAM. LOG: Contains detailed information about user authentication and authorization. Membership in the local Administrators group, or equivalent, is the minimum required to enable tracing. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http: //go. microsoft. com/fwlink/?LinkId=83477). To create tracing log files on a server running NPS Open a command line as an administrator. 1. Type netshras set tr \* en. 2. Reproduce the scenario that you are troubleshooting. 3. Type netshras set tr \* dis. 4. Close the command prompt window. 5. http: //technet. microsoft. com/en-us/library/dd348461%28v=ws. 10%29. aspx

Answer 113

A network policy that has the MS-Service Class condition Explanation: MS-Service Class Restricts the policy to clients that have received an IP address from a DHCP scope that matches the specified DHCP profile name. This condition is used only when you are deploying NAP with the DHCP enforcement method. To use the MS-Service Class attribute, in Specify the profile name that identifies your DHCP scope, type the name of an existing DHCP profile. Open the NPS console, double-click Policies, click Network Policies, and then double-click the policy you want to configure. In policy Properties, click the Conditions tab, and then click Add. In Select condition, scroll to the Network Access Protection group of conditions. If you want to configure the Identity Type condition, click Identity Type, and then click Add. In Specify the method in which clients are identified in this policy, select the items appropriate for your deployment, and then click OK. The Identity Type condition is used for the DHCP and Internet Protocol security (IPsec) enforcement methods to allow client health checks when NPS does not receive an Access-Request message that contains a value for the User-Name attribute; in this case, client health checks are performed, but authentication and authorization are not performed. If you want to configure the MS-Service Class condition, click MS-Service Class, and then click Add. In Specify the profile name that identifies your DHCP scope, type the name of an existing DHCP profile, and then click Add. The MS-Service Class condition restricts the policy to clients that have received an IP address from a DHCP scope that matches the specified DHCP profile name. This condition is used only when you are deploying NAP with the DHCP enforcement method. http: //technet. microsoft. com/en-us/library/cc731560(v=ws. 10). aspx http: //technet. microsoft. com/en-us/library/cc731220(v=ws. 10). aspx

Answer 114

Run the Accounting Configuration Wizard Explanation: In Windows Server 2008 R2, an accounting configuration wizard is added to the Accounting node in the NPS console. By using the Accounting Configuration wizard, you can configure the following four accounting settings: SQL logging only. By using this setting, you can configure a data link to a SQL Server that allows NPS to connect to and send accounting data to the SQL server. In addition, the wizard can configure the database on the SQL Server to ensure that the database is compatible with NPS SQL server logging. Text logging only. By using this setting, you can configure NPS to log accounting data to a text file. Parallel logging. By using this setting, you can configure the SQL Server data link and database. You can also configure text file logging so that NPS logs simultaneously to the text file and the SQL Server database. SQL logging with backup. By using this setting, you can configure the SQL Server data link and database. In addition, you can configure text file logging that NPS uses if SQL Server logging fails.

Answer 115

Add a route for 10. 1. 14. 0/24 that uses 10. 1. 14. 254 as the gateway and set the metric to 500. Explanation: To configure the Automatic Metric feature: 1. In Control Panel, double-click Network Connections. 2. Right-click a network interface, and then click Properties. 3. Click Internet Protocol (TCP/IP), and then click Properties. 4. On the General tab, click Advanced. 5. To specify a metric, on the IP Settings tab, click to clear the Automatic metric check box, and then enter the metric that you want in the Interface Metric field. To manually add routes for IPv4 Open the Command Prompt window by clicking the Start button Picture of the Start button. In the search box, type Command Prompt, and then, in the list of results, click Command Prompt. At the command prompt, type route -p add [destination] [mask ] [gateway] [metric ] [if ].

Answer 116

The primary DNS suffix of Server1 Explanation: When any computer or a standalone server is added to a domain as a member, the network identifies that computer with its Fully Qualified Domain Name or FQDN. A Fully Qualified Domain Name consist of a hostname and the DNs suffix separated by a ". " called period. An example for this can be server01. msftdomain. com where "server01 is the hostname of the computer and "msftdomain. com" is the DNS suffix which follows the hostname. A complete FQDN of a client computer or a member server uniquely identifies that computer in the entire domain. Primary DNS suffix must manually be added in Windows 8 computer to change its hostname to Fully Qualified Domain Name so that it becomes eligible to send queries and receive responses from the DNS server. Following are the steps which can be implemented to add primary DNS suffix to a Windows 8 computer hostname: Log on to Windows 8 computer with administrator account. From the options available on the screen click Control Panel. On the opened window click More Settings from the left pane. On the next window click System and Security category and on the appeared window click System. On View basic information about your computer window click Change settings under Computer name, domain, and workgroup settings section. On System Properties box make sure that Computer Name tab is selected and click Change button. On Computer Name/Domain Changes box click More button. On DNS Suffix and NetBIOS Computer Name box type in the DNS domain name as the DNS suffix to the Windows 8 computer under Primary DNS suffix of this computer field. Click Ok button on all the boxes and restart the computer to allow changes to take effect. For years, Windows DNS has supported dynamic updates, whereas a DNS client host registers and dynamically updates the resource records with a DNS server. If a host's IP address changes, the resource record (particularly the A record) for the host is automatically updated, while the host utilizes the DHCP server to dynamically update its Pointer (PTR) resource record. Therefore, when a user or service needs to contact a client PC, it can look up the IP address of the host. With larger organizations, this becomes an essential feature, especially for clients that frequently move or change locations and use DHCP to automatically obtain an IP address. For dynamic DNS updates to succeed, the zone must be configured to accept dynamic updates: http: //technet. microsoft. com/en-us/library/cc778792%28v=ws. 10%29. aspx http: //technet. microsoft. com/en-us/library/cc778792%28v=ws. 10%29. aspx http: //www. advicehow. com/adding-primary-dns-suffix-in-microsoft-windows-8/ http: //technet. microsoft. com/en-us/library/cc959611. aspx

Answer 117

From Windows PowerShell, run the Set-DnsServerForwardercmdlet and specify the contoso. com zone as a target. Explanation: There are two ways that a secondary DNS server can be added. In both scenarios you will need to add the new server to the Forwarders list of the primary Domain Controller. 1. The Set-DnsServerForwarder cmdlet changes forwarder settings on a Domain Name System (DNS) server. 2. From the primary server, open DNS Manager, right click on the server name and select Properties. Click on the Forwarders tab and click the Edit button in the middle of the dialogue box.

Answer 118

Perform an authoritative restore of Group1. Explanation: The Active Directory Recycle Bin does not have the ability to track simple changes to objects. If the object itself is not deleted, no element is moved to the Recycle Bin for possible recovery in the future. In other words, there is no rollback capacity for changes to object properties, or, in other words, to the values of these properties. There is another approach you should be aware of. Tombstone reanimation (which has nothing to do with zombies) provides the only way to recover deleted objects without taking a DC offline, and it's the only way to recover a deleted object's identity information, such as its objectGUID and objectSid attributes. It neatly solves the problem of recreating a deleted user or group and having to fix up all the old access control list (ACL) references, which contain the objectSid of the deleted object. Restores domain controllers to a specific point in time, and marks objects in Active Directory as being authoritative with respect to their replication partners.

Answer 119

Option A Option E Explanation: Because domain controllers provide a distributed environment, you could not safely clone an Active Directory domain controller in the past. Before, if you cloned any server, the server would end up with the same domain or forest, which is unsupported with the same domain or forest. You would then have to run sysprep, which would remove the unique security information before cloning and then promote a domain controller manually. When you clone a domain controller, you perform safe cloning, which a cloned domain controller automatically runs a subset of the sysprep process and promotes the server to a domain controller automatically. The four primary steps to deploy a cloned virtualized domain controller are as follows: Grant the source virtualized domain controller the permission to be cloned by adding the source 1. virtualized domain controller to the Cloneable Domain Controllers group. Run Get-ADDCCloningExcludedApplicationListcmdlet in Windows PowerShell to determine which 2. services and applications on the domain controller are not compatible with the cloning. Run New-ADDCCloneConfigFile to create the clone configuration file, which is stored in the C: 3. \Windows\NTDS. In Hyper-V, export and then import the virtual machine of the source domain controller. 4. Run Get-ADDCCloningExcludedApplicationListcmdlet In this procedure, run the Get- ADDCCloningExcludedApplicationListcmdlet on the source virtualized domain controller to identify any programs or services that are not evaluated for cloning. You need to run the Get- ADDCCloningExcludedApplicationListcmdlet before the New- ADDCCloneConfigFilecmdlet because if the New-ADDCCloneConfigFilecmdlet detects an excluded application, it will not create a DCCloneConfig. xml file. To identify applications or services that run on a source domain controller which have not been evaluated for cloning Get-ADDCCloningExcludedApplicationList Get-ADDCCloningExcludedApplicationList -GenerateXml The clone domain controller will be located in the same site as the source domain controller unless a different site is specified in the DCCloneConfig. xml file. Note: The Get-ADDCCloningExcludedApplicationListcmdlet searches the local domain controller for programs and services in the installed programs database, the services control manager that are not specified in the default and user defined inclusion list. The applications in the resulting list can be added to the user defined exclusion list if they are determined to support cloning. If the applications are not cloneable, they should be removed from the source domain controller before the clone media is created. Any application that appears in cmdlet output and is not included in the user defined inclusion list will force cloning to fail. The Get-ADDCCloningExcludedApplicationListcmdlet needs to be run before the New- ADDCCloneConfigFilecmdlet is used because if the New-ADDCCloneConfigFilecmdlet detects an excluded application, it will not create a DCCloneConfig. xml file. DCCloneConfig. xml is an XML configuration file that contains all of the settings the cloned DC will take when it boots. This includes network settings, DNS, WINS, AD site name, new DC name and more. This file can be generated in a few different ways. The New-ADDCCloneConfigcmdlet in PowerShell By hand with an XML editor By editing an existing config file, again with an XML editor (Notepad is not an XML editor. ) You can populate the XML file. . . . . doesn't need to be empty. . . . . http: //technet. microsoft. com/en-us/library/hh831734. aspx http: //blogs. dirteam. com/blogs/sanderberkouwer/archive/2012/09/10/new-features-in-active- directory-domain-services-in-windows-server-2012-part-13-domain-controller-cloning. aspx

Answer 120

Disable Remote Differential Compression (RDC). Explanation: Because disabling RDC can help conserve disk input/output (I/O) and CPU resources, you might want to disable RDC on a connection if the sending and receiving members are in a local area network (LAN), and bandwidth use is not a concern. However, in a LAN environment where bandwidth is contended, RDC can be beneficial when transferring large files. Question tells it uses a high-speed LAN connection. http: //technet. microsoft. com/en-us/library/cc758825%28v=ws. 10%29. aspx http: //technet. microsoft. com/en-us/library/cc754229. aspx

Answer 121

Preferences/Control Panel Settings/Network Options Explanation: The Network Options extension allows you to centrally create, modify, and delete dial-up networking and virtual private network (VPN) connections. Before you create a network option preference item, you should review the behavior of each type of action possible with the extension. To create a new Dial-Up Connection preference item Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit. In the console tree under Computer Configuration or User Configuration, expand the Preferences folder, and then expand the Control Panel Settings folder. Right-click the Network Options node, point to New, and select Dial-Up Connection. http: //technet. microsoft. com/en-us/library/cc772107. aspx http: //technet. microsoft. com/en-us/library/cc772107. aspx http: //technet. microsoft. com/en-us/library/cc772449. aspx

Answer 122

Copy files from %Windir%\Policydefinitions to the central store. In earlier operating systems, all the default Administrative Template files are added to the ADM folder of a Group Policy object (GPO) on a domain controller. The GPOs are stored in the SYSVOL folder. The SYSVOL folder is automatically replicated to other domain controllers in the same domain. A policy file uses approximately 2 megabytes (MB) of hard disk space. Because each domain controller stores a distinct version of a policy, replication traffic is increased. In Group Policy for Windows Server 2008 and Windows Vista, if you change Administrative template policy settings on local computers, Sysvol will not be automatically updated with the new . ADMX or . ADML files. This change in behavior is implemented to reduce network load and disk storage requirements, and to prevent conflicts between . ADMX files and. ADML files when edits to Administrative template policy settings are made across different locales. To make sure that any local updates are reflected in Sysvol, you must manually copy the updated . ADMX or . ADML files from the PolicyDefinitions file on the local computer to the Sysvol\PolicyDefinitions folder on the appropriate domain controller. To take advantage of the benefits of . admx files, you must create a Central Store in the SYSVOL folder on a domain controller. The Central Store is a file location that is checked by the Group Policy tools. The Group Policy tools use any . admx files that are in the Central Store. The files that are in the Central Store are later replicated to all domain controllers in the domain. To create a Central Store for . admx and . adml files, create a folder that is named PolicyDefinitions in the following location: \\FQDN\SYSVOL\FQDN\policies http: //support. microsoft. com/kb/929841

Answer 123

From the File Server Resource Manager console, set a folder management property. To specify a separate access-denied message for a shared folder by using File Server Resource Manager See step 3 below. 1. Open File Server Resource Manager. In Server Manager, click Tools, and then click File Server Resource Manager. 2. Expand File Server Resource Manager (Local), and then click Classification Management. 3. Right-click Classification Properties, and then click Set Folder Management Properties. 4. In the Property box, click Access-Denied Assistance Message, and then click Add. 5. Click Browse, and then choose the folder that should have the custom access-denied message. 6. In the Value box, type the message that should be presented to the users when they cannot access a resource within that folder. You can add macros to the message that will insert customized text. The macros include: [Original File Path] The original file path that was accessed by the user. o [Original File Path Folder] The parent folder of the original file path that was accessed o by the user. [Admin Email] The administrator email recipient list. o [Data Owner Email] The data owner email recipient list. o 7. Click OK, and then click Close.

Answer 124

U1: Policy2 U2: Policy1 U3: Policy1

Answer 125

S1: Health Policies S2: Server Options

Answer 126

Remote Radius Server Groups

Answer 127

GPO2 GPO4 GPO6

Answer 128

Run startup scripts synchronously, Explanation: Lets the system run startup scripts simultaneously rather than waiting for each to finish http: //technet. microsoft. com/en-us/library/cc939423. aspx Directs the system to wait for logon scripts to finish running before it starts the Windows Explorer interface program and creates the desktop. If you enable this policy, Windows Explorer does not start until the logon scripts have finished running. This setting assures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop. If you disable this policy or do not configure it, the logon scripts and Windows Explorer are not synchronized and can run simultaneously. This policy appears in the Computer Configuration and User Configuration folders. The policy set in Computer Configuration takes precedence over the policy set in User Configuration. By default, the Fast Logon Optimization feature is set for both domain and workgroup members. This setting causes policy to be applied asynchronously when the computer starts and the user logs on. The result is similar to a background refresh. The advantage is that it can reduce the amount of time it takes for the logon dialog box to appear and the amount of time it takes for the desktop to become available to the user. Of course, it also means that the user may log on and start working before the absolute latest policy settings have been applied to the system. Depending on your environment, you may want to disable Fast Logon Optimization. You can do this with Group Policy, using the Always wait for the network at computer startup and logon policy setting. http: //technet. microsoft. com/en-us/magazine/gg486839. aspx http: //technet. microsoft. com/en-us/magazine/gg486839. aspx http: //technet. microsoft. com/en-us/library/cc958585. aspx

Answer 129

S1: Set-wsusserversynchronization -syncfrommenu S2: set-wsusserversynchronization -useservername Server1