Microsoft - Certdumps.70 412.

Microsoft.Certdumps.70-412.v2014-04-02.by.WENDY.
289q
Number: 70-412
Passing Score: 800
Time Limit: 120 min
File Version: 14.5
Exam Code: 70-412

Exam Name: Configuring Advanced Windows Server 2012 Services
Configure and manage high availability

QUESTION 1
* You have a datacenter that contains six servers. Each server has the Hyper-V server role installed and runs
Windows Server 2012. The servers are configured as shown in the following table.
Host4 and Host5 are part of a cluster named Cluster1. Cluster1 hosts a virtual machine named VM1.
You need to move VM1 to another Hyper-V host. The solution must minimize the downtime of VM1.
To which server and by which method should you move VM1?
A.
B.
C.
D.
To Host3 by using a storage migration

To Host6 by using a storage migration
To Host2 by using a live migration
To Host1 by using a quick migration
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Cluster Shared Volumes (CSV) is a feature of Failover Clustering first introduced in Windows Server 2008 R2
for use with the Hyper-V role. A Cluster Shared Volume is a shared disk containing an NTFS volume that is
made accessible for read and write operations by all nodes within a Windows Server Failover Cluster.
While CSV is not required for Live Migration of VMs, it reduces the potential disconnection period at the end of
the migration since the NTFS file system does not have to be unmounted/mounted as is the case with a
traditional cluster disk. This helps ensure seamless live migration since the physical disk resource does not
need to be moved between nodes. CSV increases the chance that a live migration will complete within the TCP
reconnect window and ensure a seamless operation to clients.
Host3 is the only option to allow minimum downtime and has same processor manufacturers.
http://en.wikipedia.org/wiki/Cluster_Shared_Volumes
http://technet.microsoft.com/en-us/library/dd446679(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/hh831656.aspx
http://technet.microsoft.com/en-us/library/jj628158.aspx
QUESTION 2
* Your network contains an Active Directory domain named contoso.com. The domain contains three servers
named Server1, Server2, and Server3 that run Windows Server 2012. All three servers have the Hyper-V
server role installed and the Failover Clustering feature installed.
Server1 and Server2 are nodes in a failover cluster named Cluster1. Several highly available virtual machines
run on Cluster1. Cluster1 has the Hyper-V Replica Broker role installed. The Hyper-V Replica Broker currently
runs on Server1.
Server3 currently has no virtual machines.
You need to configure Cluster1 to be a replica server for Server3 and Server3 to be a replica server for
Cluster1.
Which two tools should you use? (Each correct answer presents part of the solution.
Choose two.)
A.
B.
C.
D.
E.
The Hyper-V Manager console connected to Server3

The Failover Cluster Manager console connected to Server3
The Hyper-V Manager console connected to Server1.
The Failover Cluster Manager console connected to Cluster1
The Hyper-V Manager console connected to Server2
Correct Answer: AD
Section: (none)
Explanation
QUESTION 3
* You have a failover cluster named Cluster1 that contains four nodes. All of the nodes run Windows Server
2012.
You need to schedule the installation of Windows updates on the cluster nodes.
Which tool should you use?
A.
B.
C.
D.
The Wusa command

The Invoke-CauScan cmdlet
The Add-CauClusterRole cmdlet
The Wuauclt command
Correct Answer: C
Section: (none)
Explanation
Add-CauClusterRole
Adds the Cluster-Aware Updating (CAU) clustered role that provides the self-updating functionality to the
specified cluster.
For many clustered roles (formerly called clustered applications and services) in the cluster, the automatic
update process triggers a planned failover, and it can cause a transient service interruption for connected
clients. However, in the case of continuously available workloads such as Hyper-V with live migration or file
server with SMB Transparent Failover, CAU can coordinate cluster updates with no impact to the service
availability.
The CAU feature is only compatible with Windows Server 2012 R2 and Windows Server 2012 failover clusters
and the clustered roles that are supported on those versions.
QUESTION 4
* You have a failover cluster named Cluster1 that contains four nodes. All of the nodes run Windows Server
2012.
You need to force every node in Cluster1 to contact immediately the Windows Server Update Services (WSUS)
server on your network for updates.
A.
B.
C.
D.
The Add-CauClusterRole cmdlet

The Wuauclt command
The Wusa command
The Invoke-CauScan cmdlet
Correct Answer: D
Section: (none)
Explanation
Invoke-CauScan
Performs a scan of cluster nodes for applicable updates and returns a list of the initial set of updates that would
be applied to each node in a specified cluster.
QUESTION 5
* You have four servers that run Windows Server 2012. The servers have the Failover Clustering feature
installed. You deploy a new cluster named Cluster1. Cluster1 is configured as shown in the following table.
Site2 is a disaster recovery site.

Server1, Server2, and Server3 are configured as the preferred owners of the cluster roles.
Dynamic quorum management is disabled.
You plan to perform hardware maintenance on Server3. You need to ensure that if the WAN link between Site1
and Site2 fails while you are performing maintenance on Server3, the cluster resource will remain available in
Site1.
What should you do?
A.
B.
C.
D.
Enable dynamic quorum management.

Remove the node vote for Server3.
Add a file share witness in Site1.
Remove the node vote for Server4 and Server5.
Correct Answer: D
Section: (none)
Explanation
http://msdn.microsoft.com/en-us/library/hh270280.aspx#VotingandNonVotingNodes
QUESTION 6
* Your network contains an Active Directory domain named contoso.com. The domain contains two member
servers named Server1 and Server2 that run Windows Server 2012.
You configure a new failover cluster named Cluster1. Server1 and Server2 are nodes in Cluster1.
You need to configure the disk that will be used as a witness disk for Cluster1.
How should you configure the witness disk?
To answer, drag the appropriate configurations to the correct location or locations. Each configuration may be
used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view
content.
Select and Place:
Correct Answer:
Section: (none)
Explanation
http://technet.microsoft.com/en-us/library/jj612870.aspx#BKMK_witness
QUESTION 7
Your network contains an Active Directory domain named contoso.com. The domain contains four member
servers named Server1, Server2, Server3, and Server4.
Server1 and Server2 run Windows Server 2008 R2. Server1 and Server2 have the Hyper-V server role and the
Failover Clustering feature installed.
Failover Clustering is configured to provide highly available virtual machines by using a cluster named Cluster1.
Cluster1 hosts 10 virtual machines. Server3 and Server4 run Windows Server 2012.
You install the Hyper-V server role and the Failover Clustering feature on Server3 and Server4. You create a
cluster named Cluster2.
You need to migrate cluster resources from Cluster1 to Cluster2. The solution must minimize downtime on the
virtual machines.
Which five actions should you perform?
To answer, move the appropriate five actions from the list of actions to the answer area and arrange them in
the correct order.
Select and Place:
Correct Answer:
Section: (none)
Explanation
After the migration, you will need to take the virtual machines offline on the old cluster, follow your plans to
mask the volumes that contain the virtual machines to the old cluster and unmask the volumes to the new
cluster, and then bring the virtual machines online on the new cluster.
There will be a brief service interruption during the migration. To minimize the effects on users, schedule the
migration during a maintenance window. We also recommend that you pretest and verify the migration before
you migrate the virtual machines in your production environment.
NOTE: You cannot use live migration to migrate a highly available virtual machine to a new failover cluster.
http://technet.microsoft.com/en-us/library/dn486772.aspx
http://blogs.msdn.com/b/clustering/archive/2012/06/25/10323434.aspx
*
(Shut down VM cluster 1
Unmask Cluster 2
Mask Cluster 1
Start VM Cluster 2
From failover cluster 1 run migrate)
QUESTION 8
* Your network contains an Active Directory domain named contoso.com. The domain contains four member
servers named Server1, Server2, Servers, and Server4. All servers run Windows Server 2012.
Server1 and Server2 are located in a site named Site1. Server3 and Server4 are located in a site named Site2.
The servers are configured as nodes in a failover cluster named Cluster1.
Cluster1 is configured to use the Node Majority quorum configuration.
You need to ensure that Server1 is the only server in Site1 that can vote to maintain quorum.
What should you run from Windows PowerShell?
To answer, drag the appropriate commands to the correct location. Each command may be used once, more
than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:
Correct Answer:
Section: (none)
Explanation
Get-ClusterNode
Get information about one or more nodes (servers) in a failover cluster.
http://technet.microsoft.com/en-us/library/ee460990.aspx
QUESTION 9
* Your company has a main office and a remote office. The remote office is used for disaster recovery.
The network contains an Active Directory domain named contoso.com. The domain contains member servers
named Server1, Server2, Server3, and Server4. All servers run Windows Server 2012.
Server1 and Server2 are located in the main office. Server3 and Server4 are located in the remote office.
All servers have the Failover Clustering feature installed. The servers are configured as nodes in a failover
cluster named Cluster1. Storage is replicated between the main office and the remote site.
You need to ensure that Cluster1 is available if two nodes in the same office fail.
What are two possible quorum configurations that achieve the goal? (Each correct answer presents a complete
solution. Choose two.)
A.
B.
C.
D.
Node Majority
No Majority: Disk Only
Node and File Share Majority
Node and Disk Majority
Correct Answer: AB
Section: (none)
Explanation
Explanation: Depending on the quorum configuration option that you choose and your specific settings, the
cluster will be configured in one of the following quorum modes:
* (A) Node majority (no witness)
Only nodes have votes. No quorum witness is configured. The cluster quorum is the majority of voting nodes in
the active cluster membership.
* (B) No majority (disk witness only)
No nodes have votes. Only a disk witness has a vote. The cluster quorum is determined by the state of the disk
witness.
The cluster has quorum if one node is available and communicating with a specific disk in the cluster storage.
Generally, this mode is not recommended, and it should not be selected because it creates a single point of
failure for the cluster.
* Node majority with witness (disk or file share)
Nodes have votes. In addition, a quorum witness has a vote. The cluster quorum is the majority of voting nodes
in the active cluster membership plus a witness vote. A quorum witness can be a designated disk witness or a
designated file share witness.
Note:
* Quorum in Windows 2008 R2 referred to a consensus , that is, a majority of votes is required in order to reach
quorum and maintain stability of the cluster. A new option created in Windows Server 2012 which was also
back ported to Windows Server 2008 R2 SP1 was the ability to stop a node being able to participate in the
voting process.
* Dynamic quorum is the ability of the cluster to recalculate quorum on the fly and still maintain a working
cluster. This is a huge improvement as we are now able to continue to run a cluster even if the number of
nodes remaining in the cluster is less than 50%. This was not possible before but the dynamic quorum concept
now allows us to do this. In fact we can reduce the cluster down to the last node (known as last man standing)
and still maintain quorum.
Reference: Configure and Manage the Quorum in a Windows Server 2012 Failover Cluster
QUESTION 10
* Your network contains an Active Directory domain named contoso.com. The domain contains four servers
named Server1, Server2, Server3, and Server4 that run Windows Server 2012. All servers have the Hyper-V
server role and the Failover Clustering feature installed.
The servers are configured as shown in the following table.
You must set up Cluster2 as a replica of Cluster1.

Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)
A. From Hyper-V Manager on a node in Cluster2, create three virtual machines.
B. From Hyper-V Manager on a node in Cluster2, modify the Hyper-V settings.
C. From Failover Cluster Manager on Cluster1, configure each virtual machine for replication.
D. From Cluster1, add and configure the Hyper-V Replica Broker role.
E. From Cluster2, add and configure the Hyper-V Replica Broker role.
Correct Answer: ACE
Section: (none)
Explanation
Explanation: A: Need to have same number of replicated VMs in the replicated site.
C: Once the hosting server is configured for Replica, you can enable replication for each virtual machine that
you want to be replicated.
E: The Hyper-V Replica Broker is placed in the replicated cluster Note:
* Each node of the failover cluster that is involved in Replica must have the Hyper-V server role installed.
* Windows Server 2012 Hyper-V Replica is a built-in mechanism for replicating Virtual Machines (VMs). It can
replicate selected VMs in real-time or asynchronously from a primary site to a designated replica site across
LAN/WAN. Here a replica site hosts a replicated VM while an associated primary site is where the source VM
runs. And either a replica site or a primary site can be a Windows Server 2012 Hyper-V host or a Windows
Server 2012 Failover Cluster.
QUESTION 11
servers named Server1 and Server2. All servers run Windows Server 2012.
Server1 and Server2 have the Failover Clustering feature installed. The servers are configured as nodes in a
failover cluster named Cluster1. Cluster1 has access to four physical disks. The disks are configured as shown
in the following table.
You need to ensure that all of the disks can be added to a Cluster Shared Volume (CSV).
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A.
B.
C.
D.
Enable BitLocker on Disk4.

Format Disk3 to use NTFS.
Format Disk2 to use NTFS.
Disable BitLocker on Disk1.
Correct Answer: BC
Section: (none)
Explanation
You cannot use a disk for a CSV that is formatted with FAT, FAT32, or Resilient File System (ReFS).
Cluster Shared Volumes (CSV) is a feature of Failover Clustering first introduced in Windows Server 2008 R2
for use with the Hyper-V role. A Cluster Shared Volume is a shared disk containing an NTFS volume that is
made accessible for read and write operations by all nodes within a Windows Server Failover Cluster.
While CSV is not required for Live Migration of VMs, it reduces the potential disconnection period at the end of
the migration since the NTFS file system does not have to be unmounted/mounted as is the case with a
traditional cluster disk. This helps ensure seamless live migration since the physical disk resource does not
need to be moved between nodes. CSV increases the chance that a live migration will complete within the TCP
reconnect window and ensure a seamless operation to clients.
http://en.wikipedia.org/wiki/Cluster_Shared_Volumes
QUESTION 12
failover cluster named Cluster1. Cluster1 contains a Clustered Shared Volume (CSV).
A developer creates an Application named App1. App1 is NOT a cluster-aware Application.
App1 stores data in the file system.
You need to ensure that App1 runs in Cluster1. The solution must minimize development effort.
Which cmdlet should you run?
A.
B.
C.
D.
Add-ClusterGenericServiceRole
Add-ClusterServerRole
Add-ClusterGenericApplicationRole
Add-ClusterScaleOutFileServerRole
Correct Answer: C
Section: (none)
Explanation
Add-ClusterGenericApplicationRole
Configure high availability for an application that was not originally designed to run in a failover cluster.
If you run an application as a Generic Application, the cluster software will start the application, then periodically
query the operating system to see whether the application appears to be running. If so, it is presumed to be
online, and will not be restarted or failed over.
QUESTION 13
Your network contains an Active Directory domain named contoso.com. The domain contains two member
failover cluster named Cluster1. Cluster1 contains a file server role named FS1 and a generic service role
named SVC1. Server1 is the preferred node for FS1. Server2 is the preferred node for SVC1.
You plan to run a disk maintenance tool on the physical disk used by FS1.
You need to ensure that running the disk maintenance tool does not cause a failover to occur.
What should you do before you run the tool?
A.
B.
C.
D.
Run cluster.exe and specify the pause parameter.

Run cluster.exe and specify the offline parameter.
Run Suspend-ClusterResource
Run Suspend-ClusterNode.
Correct Answer: C
Section: (none)
Explanation
Sometimes during maintenance or diagnosis that involves a service or application in a failover cluster, you
might need to bring that service or application online or take it offline. Bringing an application online or taking it
offline does not trigger failover, although the Cluster service handles the process in an orderly fashion. For
example, if a particular disk is required by a particular clustered application, the Cluster service ensures that the
disk is available before the application starts.
The Cluster.exe command-line tool is deprecated, but it can be optionally installed with the Failover Clustering
tools.
Suspend-ClusterResource: Turn on maintenance for a disk resource or Cluster Shared Volume so that you
can run a disk maintenance tool without triggering failover .
http://technet.microsoft.com/en-us/library/cc755234.aspx
QUESTION 14
* You are employed as a network administrator at contoso.com. contoso.com has a single Active Directory
domain named contoso.com. All servers on the Contoso.com network have Windows server 2012 installed.
Contoso.com has two servers, named server1 and server2 which are configured in a two-node fail over cluster.
You are currently configuration the quorum settings for the cluster. You want to make use of a quorum mode
that allows each node to vote if it is available and in communication.
Which of the following is the mode you should use?
A.
B.
C.
D.
Node Majority
Node and Disk Majority
Node and File Share Majority
No Majority:Disk Only
Correct Answer: A
Section: (none)
Explanation
Node Majority: Allows each node to vote
http://technet.microsoft.com/en-us/library/cc770620(v=ws.10).aspx
QUESTION 15
Server1 and Server2 have the Hyper-V server role and the Failover Clustering feature installed.
Server1 and Server2 are members of a cluster named Cluster1. Cluster1 hosts 10 virtual machines.
When you try to migrate a running virtual machine from one server to another, you receive the following error
message: "There was an error checking for virtual machine compatibility on the target node."
You need to ensure that the virtual machines can be migrated from one node to another.
From which node should you perform the configuration?
To answer, select the appropriate node in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
http://download.microsoft.com/download/F/2/1/F2146213-4AC0-4C50-B69A-12428FF0B077/VM%20processor
%20compatibility%20mode.doc
http://support.microsoft.com/kb/2003737
http://www.shogan.co.uk/vmware/live-migrating-a-vm-on-a-hyper-v-failover-cluster-fails-processor-specificfeatures-not-supported/
QUESTION 16
* Your network contains four servers that run Windows Server 2012.
Each server has the Failover Clustering feature installed. Each server has three network adapters installed. An
iSCSI SAN is available on the network.
You create a failover cluster named Cluster1. You add the servers to the cluster.
You plan to configure the network settings of each server node as shown in the following table.
You need to configure the network settings for Cluster1.

What should you do?
To answer, drag the appropriate network communication setting to the correct cluster network. Each network
communication setting may be used once, more than once, or not at all. You may need to drag the split bar
between panes or scroll to view content.
Select and Place:
Correct Answer:
Section: (none)
Explanation
Do not allow cluster network communication on this network
Select this option if you are using a network only for iSCSI (communication with storage) or only for backup.
(These are among the most common reasons for selecting this option.)
QUESTION 17
failover cluster named Cluster1.
Cluster1 hosts an Application named App1.
You need to ensure that Server2 handles all of the client requests to the cluster for App1. The solution must
ensure that if Server2 fails, Server1 becomes the active node for App1.
What should you configure?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
K.
L.
Affinity-None
Affinity-Single
The cluster quorum settings
The failover settings
A file server for general use
The Handling priority
The host priority
Live migration
The possible owner
The preferred owner
Quick migration
the Scale-Out File Server
Correct Answer: J
Section: (none)
Explanation
Preferred Owners For a given VM (technically any cluster Group) you can configure the preference for node
order on failover. So lets say that this VM normally runs on NodeA and you always want it next to go to NodeC
if it is available, then preferred owners is a way for you to define a preference of first go to this node, then next
go to this other node, then go to this next node. Its a priority list, and clustering will walk that list in where to
place the VM. This will override the default behavior of selecting the node currently hosting the least VMs I
described above, and gives you explicit control of where VMs go.
Failover behavior on clusters of three or more nodes
The preferred owner in a 2 server cluster will always be the active node unless it is down.
QUESTION 18
You add two additional nodes to Cluster1.

You need to ensure that Cluster1 stops running if three nodes fail.
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
K.
L.
Affinity-None
Affinity-Single
The host priority
Live migration
The possible owner
The preferred owner
Quick migration
Correct Answer: C
Section: (none)
Explanation
How the quorum configuration affects the cluster
The quorum configuration in a failover cluster determines the number of failures that the cluster can sustain. If
an additional failure occurs, the cluster must stop running. The relevant failures in this context are failures of
nodes or, in some cases, of a disk witness (which contains a copy of the cluster configuration) or file share
witness. It is essential that the cluster stop running if too many failures occur or if there is a problem with
communication between the cluster nodes.
The quorum configuration in a failover cluster determines the number of failures that the cluster can sustain.
QUESTION 19
You configure File Services and DHCP as clustered resources for Cluster1. Server1 is the active node for both
clustered resources.
You need to ensure that if two consecutive heartbeat messages are missed between Server1 and Server2,
Server2 will begin responding to DHCP requests. The solution must ensure that Server1 remains the active
node for the File Services clustered resource for up to five missed heartbeat messages.
A.
B.
C.
D.
E.
F.
G.
H.
I.
Affinity-None
Affinity-Single
The host priority
Live migration
The possible owner
J. The preferred owner

K. Quick migration
L. the Scale-Out File Server
Correct Answer: D
Section: (none)
Explanation
Virtual Server provides a service where a user can be notified if a virtual machine is not responding. This is
called the virtual machine heartbeat. There are two situations under which a virtual machine might not send its
heartbeat. One is because the virtual machine has crashed - and no programs are running any longer. The
other is because another program on the virtual machine may be using all of the CPU resources and not
leaving enough CPU time for our code to be able to send a heartbeat message.
Think of it like your cell phone, when the other end goes silent how long are you willing to sit there going Hello?
... Hello?... Hello? before you hang-up the phone and call the person back. When the other end goes silent,
you dont know when or even if they will come back.
http://blogs.msdn.com/b/virtual_pc_guy/archive/2006/02/20/534836.aspx
The number of heartbeats that can be missed before failover occurs is known as the heartbeat threshold.
QUESTION 20
You add two additional nodes to Cluster1.
You have a folder named Folder1 on Server1 that contains Application data.
You plan to provide continuously available access to Folder1.
You need to ensure that all of the nodes in Cluster1 can actively respond to the client requests for Folder1.
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
K.
L.
Affinity-None
Affinity-Single
The host priority
Live migration
The possible owner
The preferred owner
Quick migration
Correct Answer: L
Section: (none)
Explanation
You can actually use the Windows Server 2012 Scale-Out File Server and Server Message Block to create a
level of fault-tolerant storage.
http://technet.microsoft.com/en-us/magazine/jj992578.aspx
Scale-Out File Server for Application data (Scale-Out File Server) This clustered file server is introduced in
Windows Server 2012 and lets you store server Application data, such as Hyper-V virtual machine files, on file
shares, and obtain a similar level of reliability, availability, manageability, and high performance that you would
expect from a storage area network. All file shares are online on all nodes simultaneously. File shares
associated with this type of clustered file server are called scale-out file shares. This is sometimes referred to
as active-active.
QUESTION 21
* Information and details provided in a question Apply only to that question.
Server1 and Server2 have the Network Load Balancing (NLB) feature installed. The servers are configured as
nodes in an NLB cluster named Cluster1.
Cluster1 hosts a secure web Application named WebApp1. WebApp1 saves user state information locally on
each node.
You need to ensure that when users connect to WebApp1, their session state is maintained.
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
K.
L.
Affinity-None
Affinity-Single
The host priority
Live migration
The possible owner
The preferred owner
Quick migration
Correct Answer: B
Section: (none)
Explanation
http://technet.microsoft.com/en-us/library/bb687542.aspx
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/77cb4318-75f8-4310-a05f3605b5768007.mspx
Use the client affinity feature. When client affinity is enabled, Network Load Balancing directs all TCP
connections to the same cluster host. This allows session state to be maintained in host memory. You can
enable client affinity in the Add/Edit Port Rules dialog box in Network Load Balancing Manager. Choose either
Single or Class C affinity to ensure that only one cluster host will handle all connections that are part of the
same client session. This is important if the server application running on the cluster host maintains session
state (such as server cookies) between connections.
QUESTION 22
nodes in an NLB cluster named Cluster1.
Port rules are configured for all clustered Applications.
You need to ensure that Server2 handles all client requests to the cluster that are NOT covered by a port rule.
A. Affinity-None
B.
C.
D.
E.
F.
G.
H.
I.
J.
K.
L.
Affinity-Single
The host priority
Live migration
The possible owner
The preferred owner
Quick migration
The Scale-Out File Server
Correct Answer: G
Section: (none)
Explanation
http://technet.microsoft.com/en-us/library/bb742455.aspx
QUESTION 23
Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1
and Server2 are nodes in a failover cluster named Cluster1. The network contains two servers named Server3
and Server4 that run Windows Server 2012. Server3 and Server4 are nodes in a failover cluster named
Cluster2.
You need to move all of the applications and the services from Cluster1 to Cluster2.
What should you do first from Failover Cluster Manager?
A.
B.
C.
D.
On a server in Cluster2, configure Cluster-Aware Updating.

On a server in Cluster2, click Move Core Cluster Resources, and then click Best Possible Node.
On a server in Cluster1, click Move Core Cluster Resources, and then click Select Node
On a server in Cluster1, click Migrate Roles.
Correct Answer: D
Section: (none)
Explanation
http://blogs.technet.com/b/hugofe/archive/2012/12/06/best-practices-for-migration-of-cluster-windows-2008-r22012-as-melhores-praticas-para-migrar-um-cluster-de-windows-2008-para-windows-2012.aspx
QUESTION 24
* Your network contains three Application servers that run Windows Server 2012. The Application servers have
the Network Load Balancing (NLB) feature installed.
You create an NLB cluster that contains the three servers.
You plan to deploy an Application named App1 to the nodes in the cluster. App1 uses TCP port 8080 and TCP
port 8081.
NLB cluster that contains the three servers
Clients will connect to App1 by using HTTP and HTTPS. When clients connect to App1 by using HTTPS,
session state information will be retained locally by the cluster node that responds to the client request.
You need to configure a port rule for App1.
Which port rule should you use?
To answer, select the appropriate rule in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 25
* Your network contains two servers named Server1 and Server2 that run Windows Server 2012.
Server1 and Server2 have the Hyper-V server role installed. Server1 and Server2 are configured as Hyper-V
replicas of each other.
Server1 hosts a virtual machine named VM1. VM1 is replicated to Server2.
You need to verify whether the replica of VM1 on Server2 is functional. The solution must ensure that VM1
remains accessible to clients.
What should you do from Hyper-V Manager?
A.
B.
C.
D.
On Server1, execute a Planned Failover.

On Server1, execute a Test Failover.
On Server2, execute a Planned Failover.
On Server2, execute a Test Failover.
Correct Answer: D
Section: (none)
Explanation
Have you ever wonder I have enabled replication and it looks like everything is in progress, but how do I know
that I am truly protected,?
At a high level, Hyper-V Replica supports three types of Failover:
Test Failover
Planned Failover
Unplanned Failover
http://blogs.technet.com/b/virtualization/archive/2012/07/31/types-of-failover-operations-in-hyper-v-replica-partiiplanned-failover.aspx
http://blogs.technet.com/b/virtualization/archive/2012/07/26/types-of-failover-operations-in-hyper-v-replica.aspx
QUESTION 26
* Your network contains two Web servers named Server1 and Server2.
Server1 and Server2 are nodes in a Network Load Balancing (NLB) cluster.
You configure the nodes to use the port rule shown in the exhibit. (Click the Exhibit button.)
You need to configure the NLB cluster to meet the following requirements:
HTTPS connections must be directed to Server1 if Server1 is available. HTTP connections must be load
balanced between the two nodes.
Exhibit:
A.
B.
C.
D.
E.
F.
From the host properties of Server1, set the Handling priority of the existing port rule to 2.
From the host properties of Server2, set the Priority (Unique host ID) value to 1.
Create a port rule for TCP port 80. Set the Filtering mode to Multiple host and set the Affinity to None.
Create an additional port rule for TCP port 443. Set the Filtering mode to Multiple host and set the Affinity to
Single.
Correct Answer: BDE

Section: (none)
Explanation
Explanation: Handling priority: When Single host filtering mode is being used, this parameter specifies the local
host's priority for handling the networking traffic for the associated port rule. The host with the highest handling
priority (lowest numerical value) for this rule among the current members of the cluster will handle all of the
traffic for this rule. The allowed values range from 1, the highest priority, to the maximum number of hosts
allowed (32). This value must be unique for all hosts in the cluster.
E (not C): Lower priority (2) for Server 2.
D: HTTP is port 80.
Multiple hosts. This parameter specifies that multiple hosts in the cluster handle network traffic for the
associated port rule. This filtering mode provides scaled performance in addition to fault tolerance by
distributing the network load among multiple hosts. You can specify that the load be equally distributed among
the hosts or that each host handle a specified load weight.
Reference: Network Load Balancing parameters

QUESTION 27
You add two additional nodes in Cluster1.
You have a folder named Folder1 on Server1 that hosts Application data. Folder1 is a folder target in a
Distributed File System (DFS) namespace.
You need to provide highly available access to Folder1. The solution must support DFS Replication to Folder1.
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
K.
L.
Affinity-None
Affinity-Single
A File Server for General Use
The host priority
Live migration
The possible owner
The preferred owner
Quick migration
The Scale-Out File Server
Correct Answer: E
Section: (none)
Explanation
Although a Scale-Out File Server supports DFS Namespace Folder Target it does NOT support DFS
Replication as per the question. Hence, A File Server for General Use.
Continuously Available File Shares (CAFS) is an important new technology in Windows Server 2012. At its
basic level, Server 2012's CAFS feature takes Windows file sharing capabilities and scales them using a
Server 2012 cluster. CAFS takes advantage of new Server Message Block (SMB) 3.0 capabilities to increase
the availability of Windows Server file shares used for document storage and application support. Some of the
new SMB 3.0 features that enable CAFS include SMB Scale-Out, SMB Direct, and SMB Multichannel.
The CAFS feature addresses problems that occurred in earlier implementations of highly available file servers
on Windows Server failover clusters. Previous implementations provided high availability for file shares but
were hampered by brief periods of downtime and a momentary loss of connectivity in the event of a failover.
Such brief outages were usually acceptable for Microsoft Office-type applications that perform frequent file
opens and closes, because these apps could reconnect and save changes after the failover completed.
However, these same outages weren't acceptable for applications like Hyper-V or SQL Server, which hold files
open for extended periods of time, and outages would result in data loss. Before the advent of Server 2012,
Microsoft didn't support these types of server installations on file shares. Providing application support was one
of Microsoft's primary design points for CAFS. While you can use CAFS for simple client file sharing, CAFS is
really targeted at supporting server applications. CAFS gives you the ability to take advantage of Windows
Server's low-cost storage capabilities for mission-critical applications. CAFS provides continuous access to file
shares with almost zero downtime.
Choose an Implementation
There are essentially two ways to implement CAFS:
General Purpose File Server Very much like the highly available file server support in Windows Server
2008 R2, the CAFS general use file server implementation allows a file share to be supported on a failover
cluster. CAFS improves the availability and performance of this implementation with the new higher
performance SMB 3.0 client access.
Scale-Out File Server The scale-out file server implementation is the new CAFS option for supporting
applications like Hyper-V and SQL Server with no downtime. This implementation is limited to four servers.
http://windowsitpro.com/windows-server-2012/windows-server-2012-implement-continuously-available-fileshares
QUESTION 28
Your network contains an Active Directory domain named contoso.com. The domain contains two servers
named Node1 and Node2. Node1 and Node2 run Windows Server 2012. Node1 and Node2 are configured as
a two-node failover cluster named Cluster2.
The computer accounts for all of the servers reside in an organizational unit (OU) named Servers.
A user named User1 is a member of the local Administrators group on Node1 and Node2.
User1 creates a new clustered File Server role named File1 by using the File Server for general use option. A
report is generated during the creation of File1 as shown in the exhibit. (Click the Exhibit button.)
File1 fails to start. You need to ensure that you can start File1.
What should you do?
Exhibit:
A. Log on to the domain by using the built-in Administrator for the domain, and then recreate the clustered File
Server role by using the File Server for general use option.
B. Recreate the clustered File Server role by using the File Server for scale-out Application data option.
C. Assign the computer account permissions of Cluster2 to the Servers OU.
D. Assign the user account permissions of User1 to the Servers OU.
E. Increase the value of the ms-DS-MachineAccountQuota attribute of the domain.
Correct Answer: C
Section: (none)
Explanation
Scale-Out File Server for Application Data
When using the failover cluster manager changes you make are not being done as the user but as the cluster
machine account.
You have created a Windows Server 2012 Scale-Out File Server. The cluster, including the network and
storage, pass the cluster validation test.
Everything looks and is good. You create a File Server role for application data (SOFS) but it fails to start:
The fix is in:

1) Open Active Directory Users And Computers.
2) Enable Advanced view if not enabled.
3) Edit the properties of the OU containing the cluster computer object
4) Open the Security tab and click Advanced
5) Click Add (opens Permission Entry dialog), click Select A Principal, Click Object Types and select
Computers. Enter the name of the cluster computer object.
6) Back in the Permission Entry dialog, scroll down, and select Create Computer Objects.
7) OK everything, (you might need to wait for your DCs to replicate if you have site links to deal with) return to
Failover Cluster Manager, right-click on the SOFS role, and click Start Role. It should now start up.
http://www.aidanfinn.com/?p=14142
QUESTION 29
Your network contains an Active Directory domain named contoso.com. The domain contains four servers
named Server1, Server2, Server3, and Server4 that run Windows Server 2012. All servers have the Hyper-V
server role and the Failover Clustering feature installed.
You need to replicate virtual machines from Cluster1 to Cluster2.

A.
B.
C.
D.
E.
From Hyper-V Manager on a node in Cluster2, create three virtual machines.

From Cluster2, add and configure the Hyper-V Replica Broker role.
From Failover Cluster Manager on Cluster1, configure each virtual machine for replication.
From Cluster1, add and configure the Hyper-V Replica Broker role.
From Hyper-V Manager on a node in Cluster2, modify the Hyper-V settings.
Correct Answer: BCD

Section: (none)
Explanation
What Is Hyper-V Replica?

Hyper-V Replica is new functionality added to the Hyper-V Role in Windows Server "8" Beta. Hyper-V Replica
enables organizations to implement an affordable Business Continuity and Disaster Recovery (BCDR) solution
for virtualized workloads. This allows virtual machines running at a primary site to be efficiently replicated to
secondary location (Replica site) across a WAN link.
Failover Replication Broker Architecture

The Hyper-V Replica Broker runs in a Replica cluster and provides a Replica server name (connection point
(a.k.a. Client Access Point (CAP))) for initial virtual machine placement when contacted by a Primary server.
After a virtual machine is initially replicated to the Replica Cluster, the Hyper-V Replica Broker provides the
virtual machine to Replica Server (cluster node) mapping to ensure the Primary server can replicate data for the
virtual machine to the correct node in the cluster in support of mobility scenarios on the Replica side (e.g. Live
\Quick Migration, or Storage Migration).
The Hyper-V Replica Broker role tracks the movement of Replica virtual machines hosted in a Failover Cluster.
As part of virtual machine mobility scenarios, virtual machines can be migrated between nodes in the cluster.
The Hyper-V Replica Broker Manager provides information that ensures proper, continued replication of virtual
machines.
http://technet.microsoft.com/en-us/library/jj134153.aspx#BKMK_1_2
http://download.microsoft.com/download/F/F/1/FF1FA6DE-E82A-48EF-BDCC-612C2D588BFE/Understand%
20and%20Troubleshoot%20Guide%20Hyper-V%20Replica%20in%20Windows%20Server%208%20Beta.docx
A Replica virtual machine is created on the Replica server. If you elected to send the initial copy over the
network, the transmission begins either immediately or at the time you configured. If you elected to use external
media for the initial copy, the necessary files are copied to a local location. Copy the files to the media you will
use to transfer the initial copy and then send the media to the Replica site.
QUESTION 30
nodes in an NLB cluster named Cluster1. Both servers connect to the same switch.
Cluster1 hosts a secure web Application named WebApp1. WebApp1 saves user state information in a central
database.
You need to ensure that the connections to WebApp1 are distributed evenly between the nodes. The solution
must minimize port flooding.
What should you configure? To answer, configure the appropriate affinity and the appropriate mode for
Cluster1 in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 31
Your network contains two Web servers named Server1 and Server2. Both servers run Windows Server 2012
R2.
Server1 and Server2 are nodes in a Network Load Balancing (NLB) cluster. The NLB cluster contains an
application named App1 that is accessed by using the URL http://app1.contoso.com.
You plan to perform maintenance on Server1.
You need to ensure that all new connections to App1 are directed to Server2. The solution must not disconnect
the existing connections to Server1.
What should you run?
A.
B.
C.
D.
The Set-NlbCluster cmdlet

The Set-NlbClusterNode cmdlet
The Stop-NlbCluster cmdlet
The Stop-NlbClusterNode cmdlet
Correct Answer: D
Section: (none)
Explanation
Stop-NlbClusterNode can be used if the -drain switch is used to drain active connections without disconnecting
existing connections:
Detailed Description
The Stop-NlbClusterNode cmdlet stops a node in an NLB cluster. When you use the stop the nodes in the
cluster, client connections that are already in progress are interrupted. To avoid interrupting active connections,
consider using the -drain parameter, which allows the node to continue servicing active connections but
disables all new traffic to that node.
If there is a Suspend-NlbClusterNode option that is the correct answer.
Detailed Description
The Suspend-NlbClusterNode cmdlet suspends a specific node in an NLB cluster. You might need to suspend
a node in a cluster to override any remote control commands that are issued or for maintenance work.
QUESTION 32
* You have two failover clusters named Cluster1 and Cluster2. All of the nodes in both of the clusters run
Windows Server 2012 R2.
Cluster1 hosts two virtual machines named VM1 and VM2.
You plan to configure VM1 and VM2 as nodes in a new failover cluster named Cluster3.
You need to configure the witness disk for Cluster3 to be hosted on Cluster2.
Which three actions should you perform in sequence?
To answer, move the appropriate three actions from the list of actions to the answer area and arrange them in
the correct order.
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 33
* Your network contains two Web servers named Server1 and Server2. Both servers run Windows Server 2012
R2.
Server1 and 5erver2 are nodes in a Network Load Balancing (NLB) cluster. The NLB cluster contains an
application named App1 that is accessed by using the name appl.contoso.com.
The NLB cluster has the port rules configured as shown in the exhibit. (Click the Exhibit
Guaranteed success with TestInsides practice guides 367 Microsoft 70-412 : Practice Test
button.)
To answer, complete each statement according to the information presented in the exhibit.
Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 34
* Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1
and Server2 are nodes in a failover cluster named Cluster1. The network contains two servers named Server3
and Server4 that run Windows Server 2012 R2. Server3 and Server4 are nodes in a failover cluster named
Cluster2.
You need to move all of the applications and the services from Cluster1 to Cluster2.
What should you do first from Failover Cluster Manager?
A.
B.
C.
D.
On a server in Cluster1, click Move Core Cluster Resources, and then click Select Node
On a server in Cluster2, configure Cluster-Aware Updating
On a server in Cluster1, configure Cluster-Aware Updating
On a server in Cluster1, click Migrate Roles.
Correct Answer: D
Section: (none)
Explanation
Cluster roles: Migrate the cluster roles Use the Copy Cluster Roles Wizard in Failover Cluster Manager to
migrate the cluster roles to the new cluster.
QUESTION 35
* Your network contains an Active Directory domain named contoso.com. The domain contains two servers
named Node1 and Node2. Node1 and Node2 run Windows Server 2012 R2. Node1 and Node2 are configured
as a two-node failover cluster named Cluster2.
The computer accounts for all of the servers reside in an organizational unit (OU) named Servers.
A user named User1 is a member of the local Administrators group on Node1 and Node2.
User1 creates a new clustered File Server role named File1 by using the File Server for general use option. A
report is generated during the creation of File1 as shown in the exhibit. (Click the Exhibit button.)
File1 fails to start.

You need to ensure that you can start File1.
What should you do?
A. Log on to the domain by using the built-in Administrator for the domain, and then recreate the clustered File
Server role by using the File Server for general use option.
B. Recreate the clustered File Server role by using the File Server for scale-out Application data option
C. Assign the computer account permissions of Cluster2 to the Servers OU

D. Assign the user account permissions of User1 to the Servers OU
E. Increase the value of the ms-DS-MachineAccountQuota attribute of the domain.
Correct Answer: C
Section: (none)
Explanation
QUESTION 36
*Your network contains an Active Directory domain named contoso.com. The domain contains four member
servers named Server1, Server2, Server3, and Server4. All servers run Windows Server 2012 R2.
Server1 and Server3 are located in a site named Site1. Server2 and Server4 are located in a site named Site2.
The servers are configured as nodes in a failover cluster named Cluster1.
Dynamic quorum management is disabled.
Cluster1 is configured to use the Node Majority quorum configuration.
You need to ensure that users in Site2 can access Cluster1 if the network connection between the two sites
becomes unavailable.
What should you run from Windows PowerShell?
To answer, drag the appropriate commands to the correct location. Each command may be used once, more
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 37
* Your network contains two Web servers named Server1 and Server2. Both servers run Windows Server 2012
R2.
Server1 and Server2 are nodes in a Network Load Balancing (NLB) cluster. The NLB cluster contains an
application named App1 that is accessed by using the URL http://app1.contoso.com.
You deploy a new server named Server3 that runs Windows Server 2012 R2. The contoso.com DNS zone
contains the records shown in the following table.
You need to add Server3 to the NLB cluster.

What command should you run?
To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Configure file and storage solutions

QUESTION 1
* Your company has a main office and a branch office.
The main office contains a file server named Server1. Server1 has the BranchCache for Network Files role
service installed. The branch office contains a server named Server2. Server2 is configured as a BranchCache
hosted cache server.
You need to preload the data from the file shares on Server1 to the cache on Server2.
You generate hashes for the file shares on Server1.
Which cmdlet should you run next?
A.
B.
C.
D.
Add-BCDataCacheExtension
Set-BCCache
Publish-BCFileContent
Export-BCCachePackage
Correct Answer: D
Section: (none)
Explanation
BranchCache is a wide area network (WAN) bandwidth optimization technology that is included in some
editions of the Windows Server 2012 and Windows 8 operating systems, as well as in some editions of
Windows Server 2008 R2 and Windows 7. To optimize WAN bandwidth when users access content on
remote servers, BranchCache copies content from your main office or hosted cloud content servers and caches
the content at branch office locations, allowing client computers at branch offices to access the content locally
rather than over the WAN.
At branch offices, content is stored either on servers that are configured to host the cache or, when no server is
available in the branch office, on client computers that are running Windows 8 or Windows 7. After a client
computer requests and receives content from the main office and the content is cached at the branch office,
other computers at the same branch office can obtain the content locally rather than downloading the content
from the content server over the WAN link.
When subsequent requests for the same content are made by client computers, the clients download content
information from the server instead of the actual content. Content information consists of hashes that are
calculated using chunks of the original content, and are extremely small compared to the content in the original
data. Client computers then use the content information to locate the content from a cache in the branch office,
whether the cache is located on a client computer or on a server. Client computers and servers also use
content information to secure cached content so that it cannot be accessed by unauthorized users.
You can use this procedure to force the creation of content information also called hashes - on BranchCacheenabled Web and file servers. You can also gather the data on file and web servers into packages that can be
transferred to remote hosted cache servers. This provides you with the ability to preload content on remote
hosted cache servers so that data is available for the first client access.
QUESTION 2
* You manage an environment that has many servers. The servers run Windows Server 2012 and use iSCSI
storage.
Administrators report that it is difficult to locate available iSCSI resources on the network.
You need to ensure that the administrators can locate iSCSI resources on the network by using a central
repository.
Which feature should you deploy?
A.
B.
C.
D.
The iSCSI Target Server role service

The iSNS Server service feature
The Windows Standards-Based Storage Management feature
The iSCSI Target Storage Provider feature
Correct Answer: B
Section: (none)
Explanation
Internet iStorage Name Service Server (iSNS Server)
The Internet Storage Name Service (iSNS) protocol is used for interaction between iSNS servers and iSNS
clients. iSNS clients are computers, also known as initiators, that are attempting to discover storage devices,
also known as targets, on an Ethernet network. iSNS facilitates automated discovery, management, and
configuration of iSCSI and Fibre Channel devices (using iFCP gateways) on a TCP/IP network.
QUESTION 3
* Your network contains an Active Directory domain named contoso.com. The network contains a file server
named Server1 that runs Windows Server 2012.
You create a folder named Folder1. You share Folder1 as Share1. The NTFS permissions on Folder1 are
shown in the Folder1 exhibit. (Click the Exhibit button.)
The Everyone group has the Full control Share permission to Folder1.
You configure a central access policy as shown in the Central Access Policy exhibit. (Click the Exhibit button.)
Members of the IT group report that they cannot modify the files in Folder1. You need to ensure that the IT
group members can modify the files in Folder1. The solution must use central access policies to control the
permissions.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
NTFS permissions on Folder1 (exhibit):
central access policy (exhibit):
A. On the Classification tab of Folder1, set the classification to Information Technology.

B. On the Security tab of Folder1, add a conditional expression to the existing permission entry for the IT
group.
C. On Share1, assign the Change Share permission to the IT group.
D. On the Security tab of Folder1, remove the permission entry for the IT group.
E. On the Security tab of Folder1, assign the Modify permission to the Authenticated Users group.
Correct Answer: AE
Section: (none)
Explanation
Central access policies for files enable organizations to centrally deploy and manage authorization policies that
include conditional expressions that use user groups, user claims, device claims, and resource properties.
(Claims are assertions about the attributes of the object with which they are associated). For example, to
access high-business-impact (HBI) data, a user must be a full-time employee, obtain access from a managed
device, and log on with a smart card. These policies are defined and hosted in Active Directory Domain
Services (AD DS).
QUESTION 4
* Your network contains an Active Directory domain named contoso.com. You are creating a custom Windows
Recovery Environment (Windows RE) image.
You need to ensure that when a server starts from the custom Windows RE image, a drive is mapped
automatically to a network share.
What should you modify in the image?
A. startnet.cmd
B. Xsl-mappings.xml
C. Win.ini
D. smb.types.ps1xml
Correct Answer: A
Section: (none)
Explanation
The best way to define what to start is using starnet.cmd
Connecting to your network is done in the startnet.cmd. Your basic commands:
wpeinit
wpeutil initializenetworking
(add a ping command here if experiencing hardware delays)
net use z: \\server\share password /user:user
program.exe
QUESTION 5
* You have a file server named FS1 that runs Windows Server 8.
Data Deduplication is enabled on FS1.
You need to configure Data Deduplication to run at a normal priority from 20:00 to 06:00 daily.
A.
B.
C.
D.
File and Storage Services in Server Manager

The Data Deduplication process in Task Manager
Disk Management in Computer Management
The properties of drive C
Correct Answer: A
Section: (none)
Explanation
Data Deduplication is designed to be installed on primary data volumes without adding additional dedicated
hardware. This means that you can install and use the feature without impacting the primary workload on the
server. The default settings are nonintrusive because they allow data to age for five days before processing a
particular file, and has a default minimum file size of 32 KB. The implementation is designed for low memory
and CPU usage, and if memory utilization becomes high, deduplication will wait for available resources.
Administrators can schedule more aggressive deduplication based on the type of data that is involved and the
frequency and volume of changes that occur to the volume or particular file types.
QUESTION 6
* Your network contains an Active Directory domain named contoso.com. All file servers in the domain run
Windows Server 2012.
The computer accounts of the file servers are in an organizational unit (OU) named OU1. A Group Policy object
(GPO) named GPO1 is linked to OU1.
You plan to modify the NTFS permissions for many folders on the file servers by using central access policies.
You need to identify any users who will be denied access to resources that they can currently access once the
new permissions are implemented.
In which order should you Perform the five actions?
Select and Place:
Correct Answer:
Section: (none)
Explanation
The need to control the information in enterprise-level organizations for compliance and business regulations is
one of the drivers in the consolidation trend where large amounts of information from users desktops and
departmental file shares are moved into centrally managed file servers.
Configure a Central Access Rule
Add Central Access Rule to Central Access Policy
Publish the Central Access Policy Using Group Policy
Configure a Windows Server 2012 File Server to work with Dynamic Access Control
http://technet.microsoft.com/de-de/library/hh831366.aspx
http://www.petri.co.il/dynamic-access-control-dac-configure-deploy-central-access-policy.htm
http://technet.microsoft.com/de-de/library/hh846167.aspx
QUESTION 7
* Your company has a main office and a branch office. An Active Directory site exists for each office.
The network contains an Active Directory forest named contoso.com. The contoso.com domain contains three
member servers named Server1, Server2, and Server3. All servers run Windows Server 2012.
In the main office, you configure Server1 as a file server that uses BranchCache.
In the branch office, you configure Server2 and Server3 as BranchCache hosted cache servers.
You are creating a Group Policy for the branch office site. In the branch office, you need to configure the client
computers that run Windows 8 to use Server2 and Server3 as BranchCache.
Hot Area:
Correct Answer:
Section: (none)
Explanation
BranchCache uses peer-to-peer networking across LANs to reduce file sharing and HTTP traffic across the
WAN. When you enable BranchCache, client computers running Windows 7 keep a local cached copy of data
that they copy from a file or Web server running Windows Server 2008 R2. If another computer running
Windows 7 on the same LAN or branch office needs the same data, that client can copy the data directly from
the local cache, reducing WAN bandwidth usage and potentially improving performance.
http://technet.microsoft.com/en-us/magazine/gg619377.aspx
http://blogs.technet.com/b/tnmag/archive/2011/02/09/use-group-policy-to-configure-branchcache-on-windows7-clients.aspx
QUESTION 8
* You have a server named Server1 that runs Windows Server 2012. Server1 has the File Server Resource
Manager role service installed.
You attempt to delete a classification property and you receive the error message as shown in the exhibit. (Click
the Exhibit button.)
You need to delete the isConfidential classification property.

What should you do?
A.
B.
C.
D.
Delete the classification rule that is assigned the isConfidential classification property.
Disable the classification rule that is assigned the isConfidential classification property.
Set files that have an isConfidential classification property value of Yes to No.
Clear the isConfidential classification property value of all files.
Correct Answer: A
Section: (none)
Explanation
What is the File Classification Infrastructure?
The Windows Server 2008 R2 File Classification Infrastructure (FCI) automates classification processes so that
you can manage your data more effectively. You can save money and reduce risk by storing and retaining files
based on their business value or impact. The built-in solution for file classification provides expiration, custom
tasks, and reporting. The extensible infrastructure enables you to meet additional customer classification needs
by building rich end-to-end classification solutions that are built on the classification foundation of Windows
Server in a consistent and supported way and within the existing Windows file serving platforms.
QUESTION 9
* You have a server named Server2 that runs Windows Server 2012. You have storage provisioned on Server2
as shown in the exhibit. (Click the Exhibit button.)
You need to configure the storage so that it appears in Windows Explorer as a drive letter on Server1.
Which three actions should you perform in sequence? To answer, move the three appropriate actions from the
list of actions to the answer area and arrange them in the correct order.
Exhibit:
Select and Place:
Correct Answer:
Section: (none)
Explanation
Microsoft Internet iSCSI Initiator enables you to connect a host computer that is running Windows 7 or
Windows Server 2008 R2 to an external iSCSI-based storage array through an Ethernet network adapter. You
can use Microsoft iSCSI Initiator in your existing network infrastructure to enable block-based storage area
networks (SANs). SANs provide iSCSI target functionality without investing in additional hardware, and they
enable the use of iSCSI storage devices in home and small offices.
Microsoft iSCSI Initiator is installed natively on Windows Server 2012, Windows Server 2008 R2, Windows 7,
Windows Server 2008, and Windows Vista. On these operating systems, no installation steps are required.
http://technet.microsoft.com/en-us/library/ee338480%28v=ws.10%29.aspx
QUESTION 10
* Your network contains an Active Directory domain named contoso.com. All servers run Windows Server
2012.
You are creating a central access rule named TestFinance that will be used to audit members of the
Authenticated Users group for access failure to shared folders in the finance department.
You need to ensure that access requests are unaffected when the rule is published.
What should you do?
A.
B.
C.
D.
Add a User condition to the current permissions entry for the Authenticated Users principal.
Set the Permissions to Use the following permissions as proposed permissions.
Add a Resource condition to the current permissions entry for the Authenticated Users principal.
Set the Permissions to Use following permissions as current permissions.
Correct Answer: B
Section: (none)
Explanation
You can set proposed permissions in a Central Access Rule as well as actually set permissions.
QUESTION 11
* You have a server named Server1 that runs a Server Core Installation of Windows Server 2012. Shadows
copies are enabled on all volumes.
You need to delete a specific shadow copy. The solution must minimize server downtime.
A.
B.
C.
D.
Vssadmin
Diskpart
Wbadmin
Shadow
Correct Answer: A
Section: (none)
Explanation
Vssadmin delete shadows
Deletes shadow copies of a specified volume.
http://technet.microsoft.com/en-us/library/cc754968%28v=ws.10%29.aspx
QUESTION 12
* Your network contains an Active Directory domain named adatum.com. All domain controllers run Windows
Server 2008 R2.
The domain contains a file server named Server6 that runs Windows Server 2012. Server6 contains a folder
named Folder1. Folder1 is shared as Share1.
The NTFS permissions on Folder1 are shown in the exhibit. (Click the Exhibit button.)
The domain contains two global groups named Group1 and Group2.
You need to ensure that only users who are members of both Group1 and Group2 are denied access to
Folder1.
Exhibit:
A.
B.
C.
D.
E.
Remove the Deny permission for Group1 from Folder1.

Deny Group2 permission to Folder1.
Install a domain controller that runs Windows Server 2012.
Create a conditional expression.
Deny Group2 permission to Share1.
F. Deny Group1 permission to Share1.

Correct Answer: CD
Section: (none)
Explanation
"ensure that only users who are members of both Group1 and Group2 are denied access to Folder1"
Conditional Expressions for Permission Entries Windows Server 2008 R2 and Windows 7 enhanced Windows
security descriptors by introducing a conditional access permission entry.
Access Control and Authorization Overview
In Windows Server 2012 and Windows 8, helps control the use of system and network resources through the
interrelated mechanisms of authentication and authorization. After a user is authenticated, Windows Server
2012 and Windows 8 use Windows authorization and access control technologies to implement the second
phase of protecting resources: determining if an authenticated user has the correct permissions to access a
resource.
Windows Server 2012 takes advantage of conditional access permission entries by inserting user claims,
device claims, and resource properties, into conditional expressions. Windows Server 2012 security evaluates
these expressions and allows or denies access based on results of the evaluation. Securing access to
resources through claims is known as claims-based access control. Claims-based access control works with
traditional access control to provide an additional layer of authorization that is flexible to the varying needs of
the enterprise environment.
http://social.technet.microsoft.com/wiki/contents/articles/14269.introducing-dynamic- access-control-en-us.aspx
QUESTION 13
* Your network contains an Active Directory domain named contoso.com. The network contains a file server
You are configuring a central access policy for temporary employees.
You enable the Department resource property and assign the property a suggested value of Temp.
You need to configure a target resource condition for the central access rule that is scoped to resources
assigned to Temp only.
Which condition should you use?
A.
B.
C.
D.
(Temp.Resource Equals "Department")

(Resource.Temp Equals "Department")
(Resource.Department Equals "Temp")
(Department.Value Equals "Temp")
Correct Answer: C
Section: (none)
Explanation
http://technet.microsoft.com/fr-fr/library/hh846167.aspx
QUESTION 14
* Your network contains an Active Directory domain named contoso.com. The domain contains a file server
named Server1 that runs Windows Server 2012. All client computers run Windows 8.
You need to configure a custom Access Denied message that will be displayed to users when they are denied
access to folders or files on Server1.
A.
B.
C.
D.
A classification property
The File Server Resource Manager Options
A file management task
A file screen template
Correct Answer: B
Section: (none)
Explanation
File Server Resource Manager is a suite of tools that allows administrators to understand, control, and manage
the quantity and type of data stored on their servers. By using File Server Resource Manager, administrators
can place quotas on folders and volumes, actively screen files, and generate comprehensive storage reports.
This set of advanced instruments not only helps the administrator to efficiently monitor existing storage
resources but it also aids in the planning and implementation of future policy changes.
QUESTION 15
* You have a file server named Server1 that runs a Server Core Installation of Windows Server 2012.
Server1 has a volume named D that contains user data. Server1 has a volume named E that is empty.
Server1 is configured to create a shadow copy of volume D every hour.
You need to configure the shadow copies of volume D to be stored on volume E.
A.
B.
C.
D.
The Set-Volume cmdlet with the -driveletter parameter

The Set-Volume cmdlet with the -path parameter
The vssadmin.exe add shadowstorage command
The vssadmin.exe create shadow command
Correct Answer: C
Section: (none)
Explanation
Vssadmin add shadowstorage
Adds a shadow copy storage association for a specified volume.
QUESTION 16
named File1 that runs a Server Core Installation of Windows Server 2012.
File1 has a volume named D that contains home folders. File1 creates a shadow copy of volume D twice a day.
You discover that volume D is almost full.
You add a new volume named H to File1.
You need to ensure that the shadow copies of volume D are stored on volume H.
Which command should you run?
A.
B.
C.
D.
The Set-Volume cmdlet with the -driveletter parameter

The vssadmin.exe create shadow command
The Set-Volume cmdlet with the -path parameter
The vssadmin.exe add shadowstorage command
Correct Answer: D
Section: (none)
Explanation
Vssadmin add shadowstorage
Adds a shadow copy storage association for a specified volume.
QUESTION 17
2012. The domain contains a file server named Server1. The domain contains a domain controller named DC1.
Server1 contains three shared folders. The folders are configured as shown in the following table.
Folder2 has a conditional expression of User.Department= = MMarketing".

You discover that a user named User1 cannot access \\Server1\folder2. User1 can access \\Server1\folderl and
\\Server1\folder3.
You verify the group membership of User1 as shown in the Member Of exhibit. (Click the Exhibit button.)
You verify the organization information of User1 as shown in the Organization exhibit.
You verify the general properties of User1 as shown in the General exhibit. (Click the Exhibit button.)
You need to ensure that User1 can access the contents of \\Server1\folder2.
What should you do?
A. From a Group Policy object (GPO), set the Support for Dynamic Access Control and Kerberos armoring
setting to Always provide claims.
B. Change the department attribute of User1.
C. Grant the Full Control NTFS permissions on Folder2 to User1.
D. Remove User11from the Accounting global group.
Correct Answer: B
Section: (none)
Explanation
Explanation:
B. Conditional Expression and users Department must match http://technet.microsoft.com/en-us/library/
jj134043.aspx
QUESTION 18
* You have a server named Server1 that runs Windows Server 2012.
You install the File and Storage Services server role on Server1.
From Windows Explorer, you view the properties of a folder named Folder1 and you discover that the
Classification tab is missing.
You need to ensure that you can assign classifications to Folder1 from Windows Explorer manually.
What should you do?
A.
B.
C.
D.
From Folder Options, clear Hide protected operating system files (Recommended).
Install the File Server Resource Manager role service.
From Folder Options, select the Always show menus.
Install the Share and Storage Management Tools.
Correct Answer: B
Section: (none)
Explanation
Classification properties are used to categorize files and can be used to select files for scheduled file
management tasks.
http://technet.microsoft.com/en-us/library/dd759252.aspx
http://technet.microsoft.com/en-us/library/dd758759(v=WS.10).aspx
QUESTION 19
* (diff question - A) Your network contains three servers named Server1, Server2, and Server3. All servers run
You need to ensure that Server1 can provide iSCSI storage for Server2 and Server3.
What should you do on Server1?
A. Start the Microsoft iSCSI Initiator Service and configure the iSCSI Initiator Properties.
B. Install the iSNS Server service feature and create a Discovery Domain.
C. Install the Multipath I/O (MPIO) feature and configure the MPIO Properties.
D. Install the iSCSI Target Server role service and configure iSCSI targets.
Correct Answer: D
Section: (none)
Explanation
iSCSI: it is an industry standard protocol allow sharing block storage over the Ethernet. The server shares the
storage is called iSCSI Target. The server (machine) consumes the storage is called iSCSI initiator. Typically,
the iSCSI initiator is an application server. For example, iSCSI Target provides storage to a SQL server, the
SQL server will be the iSCSI initiator in this deployment.
Target: It is an object which allows the iSCSI initiator to make a connection. The Target keeps track of the
initiators which are allowed to be connected to it. The Target also keeps track of the iSCSI virtual disks which
are associated with it. Once the initiator establishes the connection to the Target, all the iSCSI virtual disks
associated with the Target will be accessible by the initiator.
iSCSI Target Server: The server runs the iSCSI Target. It is also the iSCSI Target role name in Windows
Server 2012.
http://blogs.technet.com/b/filecab/archive/2012/05/21/introduction-of-iscsi-target-in-windows-server-2012.aspx
QUESTION 20
* (different question 2 fois) Your company has a main office and a branch office. The main office is located in
Detroit. The branch office is located in Seattle.
The network contains an Active Directory domain named adatum.com. Client computers run either Windows 7
Enterprise or Windows 8 Enterprise.
The main office contains 1,000 client computers and 50 servers. The branch office contains 20 client
computers.
All computer accounts for the branch office are located in an organizational unit (OU) named
SeattleComputers. A Group Policy object (GPO) named GPO1 is linked to the SeattleComputers OU.
You need to configure BranchCache for the branch office.
Hot Area:
Correct Answer:
Section: (none)
Explanation
BranchCache uses peer-to-peer networking across LANs to reduce file sharing and HTTP traffic across the
WAN. When you enable BranchCache, client computers running Windows 7 keep a local cached copy of data
that they copy from a file or Web server running Windows Server 2008 R2. If another computer running
Windows 7 on the same LAN or branch office needs the same data, that client can copy the data directly from
the local cache, reducing WAN bandwidth usage and potentially improving performance.
http://blogs.technet.com/b/tnmag/archive/2011/02/09/use-group-policy-to-configure-branchcache-on-windows7-clients.aspx
QUESTION 21
named Server1. The File Server Resource Manager role service is installed on Server1. All servers run
A Group Policy object (GPO) named GPO1 is linked to the organizational unit (OU) that contains Server1. The
following graphic shows the configured settings in GPO1.
Server1 contains a folder named Folder1. Folder1 is shared as Share1.

You attempt to configure access-denied assistance on Server1, but the Enable access-denied assistance
option cannot be selected from File Server Resource Manager.
You need to ensure that you can configure access-denied assistance on Server1 manually by using File Server
Resource Manager.
Which two actions should you perform?
A.
B.
C.
D.
Set the Enable access-denied assistance on client for all file types policy setting to Disabled for GPO1.
Set the Customize message for Access Denied errors policy setting to Not Configured for GPO1.
Set the Enable access-denied assistance on client for all file types policy setting to Enabled for GPO1.
Set the Customize message for Access Denied errors policy setting to Enabled for GPO1.
Correct Answer: CD
Section: (none)
Explanation
QUESTION 22
* You have a server named Server1 that runs Windows Server 2012. Server1 has the File Server Resource
Manager role service installed.
You are creating a file management task as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that the Include all folders that store the following kinds of data list displays an entry named
Corporate Data.
What should you do?
Exhibit:
A.
B.
C.
D.
Modify the properties of the System Files file group.

Create a new classification property.
Create a new file group.
Modify the Folder Usage classification property.
Correct Answer: B
Section: (none)
Explanation
In Windows Server 2008 R2 Microsoft has added some new automating features to file classification. The File
Classification Infrastructure makes it possible to automatically assign classification information to files on file
servers and apply policy to them based on that information.
Classifying data can help make data more accessible (or less accessible) to the users in your environment who
need it.
http://technet.microsoft.com/en-us/library/dd464014%28WS.10%29.aspx
QUESTION 23
* You have 3 server named LON-DC1 that runs Windows Server 2012.
An iSCSI virtual disk named VirtualiSCSIl.vhd exists on LON-DC1 as shown in the exhibit.
You create a new iSCSI virtual disk named VirtualiSCSI2.vhd by using the existing itgt iSCSI target.
VirtualiSCSIl.vhd is removed from LON-DC1.
You need to assign VirtualiSCSI2.vhd a logical unit value of 0.
What should you do?
Exhibit:
A.
B.
C.
D.
Modify the properties of the VirtualiSCSI2.vhd iSCSI virtual disk.

Run the Add-IscsiVirtualDiskTargetMapping cmdlet and specify the -Lun parameter.
Run the iscsicli command and specify the reportluns parameter.
Run the iscsicpl command and specify the virtualdisklun parameter.
Correct Answer: B
Section: (none)
Explanation
Add-IscsiVirtualDiskTargetMapping - Assigns a virtual disk to an iSCSI target.
http://technet.microsoft.com/en-us/library/jj612800(v=wps.620).aspx
QUESTION 24
* You have a server named Server1 that runs Windows Server 2012. The storage on Server1 is configured as
shown in the following table.
You plan to implement Data Deduplication on Server1.

You need to identify on which drives you can enable Data Deduplication.
Which three drives should you identify? (Each correct answer presents part of the solution. Choose two.)
A.
B.
C.
D.
E.
C
D
E
F
G
Correct Answer: BDE

Section: (none)
Explanation
QUESTION 25
* You have a file server named Server1 that runs Windows Server 2012.
Data Deduplication is enabled on drive D of Server1.
You need to exclude D:\Folder1 from Data Deduplication.
A.
B.
C.
D.
Disk Management in Computer Management

File and Storage Services in Server Manager
the classification rules in File Server Resource Manager (FSRM)
the properties of D:\Folder1
Correct Answer: B
Section: (none)
Explanation
Data deduplication involves finding and removing duplication within data without compromising its fidelity or
integrity. The goal is to store more data in less space by segmenting files into small variable-sized chunks (32
128 KB), identifying duplicate chunks, and maintaining a single copy of each chunk. Redundant copies of the
chunk are replaced by a reference to the single copy. The chunks are compressed and then organized into
special container files in the System Volume Information folder.
Data deduplication exclusion on a Volume are set from File & Storage Services, Server Manager or
PowerShell
http://blogs.technet.com/b/uspartner_ts2team/archive/2012/10/08/data-deduplication-in-windows-server-
2012.aspx
QUESTION 26
* You are employed as a network administrator at contoso.com . Contoso.com has an active directory domain
named contoso.com All servers on the contoso.com network have windows server 2012 installed.
Contoso.com has a server named server1, which is configured as a file server. You have been instructed to
enabled a feature that discovers and eradicates duplication within data without compromising its reliability or
accuracy.
Which of the following actions should you take?
A.
B.
C.
D.
You should consider having the Data Deduplication feature enabled.

You should consider having the Storage Spaces feature enabled.
You should consider having the Storage Management feature enabled.
You should consider having the folder redirection feature enabled.
Correct Answer: A
Section: (none)
Explanation
Data deduplication involves finding and removing duplication within data without compromising its fidelity or
integrity.
QUESTION 27
failover cluster named Cluster1. Cluster1 has access to four physical disks. The disks are configured as shown
in the following table.
You need to identify which disk can be added to a Clustered Storage Space in Cluster1.
Which disk should you identify?
A.
B.
C.
D.
Disk1
Disk2
Disk3
Disk4
Correct Answer: B
Section: (none)
Explanation
QUESTION 28
Your network contains servers that run Windows Server 2012. The network contains a large number of iSCSI
storage locations and iSCSI clients. You need to deploy a central repository that can discover and list iSCSI
resources on the network automatically.
Which feature should you deploy?
A. the Windows Standards-Based Storage Management feature
B. the iSCSI Target Server role service
C. the iSCSI Target Storage Provider feature

D. the iSNS Server service feature
Correct Answer: D
Section: (none)
Explanation
Internet iStorage Name Service Server (iSNS Server)
The Internet Storage Name Service (iSNS) protocol is used for interaction between iSNS servers and iSNS
clients. iSNS clients are computers, also known as initiators, that are attempting to discover storage devices,
also known as targets, on an Ethernet network. iSNS facilitates automated discovery, management, and
configuration of iSCSI and Fibre Channel devices (using iFCP gateways) on a TCP/IP network.
QUESTION 29
You have a server named Server1 that runs a Server Core Installation of Windows Server 2012. Shadows
copies are enabled on all volumes.
You need to delete a specific shadow copy. The solution must minimize server downtime.
A. Diskshadow
B. Diskpart
C. Wbadmin
D. Shadow
Correct Answer: A
Section: (none)
Explanation
DiskShadow.exe is a tool that exposes the functionality offered by the Volume Shadow Copy Service
(VSS). By default, DiskShadow uses an interactive command interpreter similar to that of DiskRAID or
DiskPart. DiskShadow also includes a scriptable mode.
QUESTION 30
Your network contains an Active Directory domain named adatum.com. The domain contains a file server
named FS1 that runs Windows Server 2012 and has the File Server Resource Manager role service installed.
All client computers run Windows 8.
File classification and Access-Denied Assistance are enabled on FS1.
You need to ensure that if users receive an Access Denied message, they can request assistance by email
from the Access Denied dialog box.
A.
B.
C.
D.
a file management task

a classification property
the File Server Resource Manager Options
a report task
Correct Answer: C
Section: (none)
Explanation
Configure access-denied assistance
You can configure access-denied assistance within a domain by using Group Policy, or you can configure the
assistance individually on each file server by using the File Server Resource Manager console. You can also
change the access-denied message for a specific shared folder on a file server.
QUESTION 31
You have a server named LON-DC1 that runs Windows Server 2012. An iSCSI virtual disk named
VirtuahSCSIl.vhd exists on LON-DC1 as shown in the exhibit. (Click the Exhibit button.)
You create a new iSCSI virtual disk named VirtualiSCSI2.vhd by using the existing itgt iSCSI target.
VirtuahSCSI1.vhd is removed from LON-DC1.
You need to assign VirtualiSCSI2.vhd a logical unit value of 0.
What should you do?
Exhibit:
A.
B.
C.
D.
Run the Set-IscsiVirtualDisk cmdlet and specify the -DevicePath parameter.

Run the iscsicpl command and specify the virtualdisklun parameter.
Modify the properties of the itgt ISCSI target.
Run the Set-VirtualDisk cmdlet and specify the -Uniqueld parameter.
Correct Answer: D
Section: (none)
Explanation
Set-VirtualDisk
Modifies the attributes of an existing virtual disk. Applies To: Windows Server 2012
-UniqueId<String>
Specifies an ID used to uniquely identify a Disk object in the system. The ID persists through restarts.
Note: Logical unit numbers (LUNs) created on an iSCSI disk storage subsystem are not directly assigned to a
server.
For iSCSI, LUNs are assigned to logical entities called targets.
QUESTION 32
You are employed as a senior network administrator at ABC.com. ABC.com has an Active Directory domain
named ABC.com. All servers on the ABC.com network have windows server 2012 installed.
ABC.com has two servers, named SERVER1 and SERVER2 which are configured in a two-node failover
cluster.
Server1 includes a folder, named ABCAppData, which is configured as a Distributed File System (DFS) name
space folder target.
After configuring another two nodes in the failover cluster, you are instructed to make sure that access to
ABCAppData is highly available. You also have to make sure that application data is replicated to ABCAppData
via DFS replication.
Which following actions should you take?
A.
B.
C.
D.
You should consider configuring a scale-out File Server

You should consider configuring the replication settings for the cluster
You should consider configuring a file server for general use
You should consider configuring the Quorum settings
Correct Answer: C
Section: (none)
Explanation
http://technet.microsoft.com/en-us/magazine/jj992578.aspx
Scale-Out File Server for Application data (Scale-Out File Server) This clustered file server is introduced in
Windows Server 2012 and lets you store server Application data, such as Hyper-V virtual machine files, on file
shares, and obtain a similar level of reliability, availability, manageability, and high performance that you would
expect from a storage area network. All file shares are online on all nodes simultaneously. File shares
associated with this type of clustered file server are called scale-out file shares. This is sometimes referred to
as active-active.
QUESTION 33
Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012.
The domain contains a file server named Server1. The domain contains a domain controller named DC1.
Server1 contains three shared folders. The folders are configured as shown in the following table.
Folder2 has a conditional expression of User.Department= = MMarketing".

You discover that a user named User1 cannot access \\Server1\folder2. User1 can access \\Server1\folder1
and \\Server1\folder3.
You verify the group membership of User1 as shown in the Member Of exhibit.
You verify the organization information of User1 as shown in the Organization exhibit.
You verify the general properties of User1 as shown in the General exhibit.
You need to ensure that User1 can access the contents of \\Server1\folder2. What should you do?
A. From a Group Policy object (GPO), set the Support for Dynamic Access Control and Kerberos armoring
setting to Always provide claims.
B. Change the department attribute of User1.
C. Grant the Full Control NTFS permissions on Folder2 to User1.
D. Remove Userl1from the Accounting global group.
Correct Answer: B
Section: (none)
Explanation
QUESTION 34
Your network contains an Active Directory domain named contoso.com. The domain contains a file server
named Server1 and a domain controller named DC1. All servers run Windows Server 2012.
A Group Policy object (GPO) named GPO1 is linked to the domain.
Server1 contains a folder named Folder1. Folder1 is shared as Share1.

You need to ensure that authenticated users can request assistance when they are denied access to the
resources on Server1.
Choose two.)
A.
B.
C.
D.
E.
Assign the Read Attributes NTFS permission on Folder1 to the Authenticated Users group.
Install the File Server Resource Manager role service on Server1.
Configure the Customize message for Access Denied errors policy setting of GPO1.
Enable the Enable access-denied assistance on client for all file types policy setting for GPO1.
Install the File Server Resource Manager role service on DC1.
Correct Answer: BD
Section: (none)
Explanation
Access-Denied Assistance is a new role service of the File Server role in Windows Server 2012. The
technology is intended to make it easier for both users and administrators to resolve permissions problems with
shared file resources.
You can configure access-denied assistance within a domain by using Group Policy, or you can configure the
assistance individually on each file server by using the File Server Resource Manager console. You can also
change the access-denied message for a specific shared folder on a file server.
http://technet.microsoft.com/en-us/library/hh831402.aspx#BKMK_1
QUESTION 35
You have a file server named Server1 that runs a Server Core Installation of Windows Server 2012.
You need to ensure that users can access previous versions of files that are shared on Server1 by using the
Previous Versions tab.
A.
B.
C.
D.
Diskpart
Wbadmin
Vssadmin
Storrept
Correct Answer: C
Section: (none)
Explanation
Displays current volume shadow copy backups and all installed shadow copy writers and providers.
http://blogs.msdn.com/b/adioltean/archive/2004/12/14/301868.aspx
QUESTION 36
Your network contains an Active Directory domain named contoso.com. The domain contains a file server
named Server1. Server1 is a BranchCache hosted cache server that is located in a branch office.
The network contains client computers that run either Windows 7 or Windows 8.
For the branch office, all of the user accounts and the client computer accounts are located in an organizational
unit (OU) named Branch1. A Group Policy object (GPO) named GPO1 is linked to Branch1. GPO1 contains the
BranchCache settings.
You discover that users in the branch office who have client computers that run Windows 7 do not access
cached content from Server1. Users in the branch office who have Windows 8 computers access cached
content from Server1.
You need to configure the Windows 7 computers to use BranchCache on Server1. Which setting should you
configure in GPO1?
To answer, select the appropriate setting in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
To enable BranchCache on Windows 7 client computers using Group Policy, you must first create a Group
Policy object (GPO) that will carry the BranchCache configuration. After creating the GPO, you configure the
setting that enables BranchCache and choose whether BranchCache will operate in Distributed Cache mode or
Hosted Cache mode.
To use Hosted Cache mode, double-click Turn on BranchCache Hosted cache mode, click Enabled, and
then click OK.
http://technet.microsoft.com/en-us/library/dd637820%28v=ws.10%29.aspx
QUESTION 37
* Your network contains an Active Directory forest named contoso.com. The forest contains four domains. All
servers run Windows Server 2012 R2.
Each domain has a user named User1.

You have a file server named Server1 that is used to synchronize user folders by using the Work Folders role
service.
Server1 has a work folder named Sync1.
You need to ensure that each user has a separate folder in Sync1.
What should you do?
A.
B.
C.
D.
From Windows Explorer, modify the Sharing properties of Sync1.

Run the Set-SyncServerSetting cmdlet.
From File and Storage Services in Server Manager, modify the properties of Sync1.
Run the Set-SyncShare cmdlet.
Correct Answer: D
Section: (none)
Explanation
http://technet.microsoft.com/en-US/library/dn296649.aspx
PS C:\> Set-SyncShare Share01 -User "ContosoGroup"
QUESTION 38
* Your network contains two servers named Server1 and Server2 that run Windows Server 2012 R2. Server1
and Server2 are configured as shown in the following table.
You need to ensure that when new targets are added to Server1, the targets are registered on Server2
automatically. What should you do on Server1?
A.
B.
C.
D.
Configure the Discovery settings of the iSCSI initiator.

Configure the security settings of the iSCSI target.
Run the Set-Wmilnstance cmdlet.
Run the Set-IscsiServerTarget cmdlet.
Correct Answer: C
Section: (none)
Explanation
http://blogs.technet.com/b/filecab/archive/2012/06/08/iscsi-target-cmdlet-reference.aspx
11.Manage iSNS server registration
The iSNS server registration can be done using the following cmdlets, which manages the WMI objects.
To add an iSNS server:
Set-WmiInstance -Namespace root\wmi -Class WT_iSNSServer Arguments

@{ServerName="ISNSservername"}
QUESTION 39
* You have a server named Server1 that runs Windows Server 2012 R2.
You install the File and Storage Services server role on Server1.
From Windows Explorer, you view the properties of a folder named Folder1 and you discover that the
Classification tab is missing.
You need to ensure that you can assign classifications to Folder1 from Windows Explorer manually.
What should you do?
A.
B.
C.
D.
From Folder Options, clear Hide protected operating system files (Recommended)
Install the File Server Resource Manager role service
From Folder Options, select the Always show menus
Install the Share and Storage Management Tools
Correct Answer: B
Section: (none)
Explanation
QUESTION 40
named Server1. All servers run Windows Server 2012.
All domain user accounts have the Division attribute automatically populated as part of the user provisioning
process. The Support for Dynamic Access Control and Kerberos armoring policy is enabled for the domain.
You need to control access to the file shares on Server1 based on the values in the Division attribute and the
Division resource property.
Select and Place:
Correct Answer:
Section: (none)
Explanation
Claims make it possible for administrators to make precise organization or enterprise-wide statements about
users, devices, and resources that can be incorporated in expressions, rules, and policies.
Claims were not available in earlier versions of Windows.

Create claim types
Create resource properties
Assign the central access policy to the appropriate shared folder on the file server.
http://go.microsoft.com/?linkid=9822813
QUESTION 41
* Your network contains an Active Directory domain named contoso.com.
You have a Dynamic Access Control policy named Policy1.
You create a new Central Access Rule named Rule1.
You need to add Rule1 to Policy1.
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 42
* Your network contains an Active Directory domain named contoso.com. The relevant servers in the domain
are configured as shown in the following table.
You plan to create a shared folder on Server1 named Share1. Share1 must only be accessed by users who are
using computers that are joined to the domain.
You need to identify which servers must be upgraded to support the requirements of Share1.
In the table below, identify which computers require an upgrade and which computers do not require an
upgrade. Make only one selection in each row. Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 43
* You have a file server named Server1 that runs Windows Server 2012 R2.
You need to ensure that you can use the NFS Share - Advanced option from the New Share Wizard in Server
Manager.
Which two role services should you install?
To answer, select the appropriate two role services in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 44
You need to ensure that third-party devices can use Workplace Join to access domain resources on the
Internet.
Which four actions should you perform in sequence?
To answer, move the appropriate four actions from the list of actions to the answer area and arrange them in
the correct order.
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 45
*Your network contains an Active Directory domain named contoso.com.
You have a failover cluster named Cluster1 that contains two nodes named Server1 and Server2. Both servers
run Windows Server 2012 R2 and have the Hyper-V server role installed.
You plan to create two virtual machines that will run an application named App1. App1 will store data on a
virtual hard drive named App1data.vhdx. App1data.vhdx will be shared by both virtual machines.
The network contains the following shared folders:
An SMB file share named Share1 that is hosted on a Scale-Out File Server. An SMB file share named Share2
that is hosted on a standalone file server. An NFS share named Share3 that is hosted on a standalone file
server.
You need to ensure that both virtual machines can use App1data.vhdx simultaneously.
What should you do?
To answer, select the appropriate configurations in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 46
* Your network contains an Active Directory forest.
You implement Dynamic Access Control in the forest.
You have the claim types shown in the Claim Types exhibit. (Click the Exhibit button.)
The properties of a user named User1 are configured as shown in the User1 exhibit. (Click the Exhibit button.)
The output of Whoami /claims for a user named User2 is shown in the Whoa mi exhibit.
(Click the Exhibit button.)
Select Yes if the statement can be shown to be true based on the available information; otherwise select No.
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 47
* You have a server that runs Windows Server 2012 R2 and has the iSCSI Target Server role service installed.
You run the New-IscsiVirtualDisk cmdlet as shown in the New-IscsiVirtualDisk exhibit.
To answer, complete each statement according to the information presented in the exhibits.
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 48
named Server1. All servers run Windows Server 2012 R2.
All domain user accounts have the Division attribute automatically populated as part of the user provisioning
process. The Support for Dynamic Access Control and Kerberos armoring policy is enabled for the domain.
You need to control access to the file shares on Server1 based on the values in the Division attribute and the
Division resource property.
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 49
* Your network contains an Active Directory domain named contoso.com. The domain contains a domain
controller named DC1 and a server named Server1. Both servers run Windows Server 2012 R2.
You configure the classification of a share on Server1 as shown in the Share1 Properties exhibit. (Click the
Exhibit button.)
You configure the resource properties in Active Directory as shown in the Resource Properties exhibit. (Click
the Exhibit button.)
You need to ensure that the Impact classification can be assigned to Share1 immediately.
Which cmdlet should you run on each server?
To answer, select the appropriate cmdlet for each server in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 50
* You have a file server named Server1 that runs Windows Server 2012 R2.
Server1 contains a file share that must be accessed by only a limited number of users.
You need to ensure that if an unauthorized user attempts to access the file share, a custom
Access-denied message appears, which contains a link to request access to the share. The message must not
appear when the unauthorized user attempts to access other shares.
Which two nodes should you configure in File Server Resource Manager?
To answer, select the appropriate two nodes in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
http://technet.microsoft.com/en-us/library/hh831402.aspx#BKMK_1
1. Right-click File Server Resource Manager (Local), and then click Configure Options.
Click the Access-Denied Assistance tab.
Select the Enable access-denied assistance check box.
In the Display the following message to users who are denied access to a folder or file box, type a message
that users will see when they are denied access to a file or folder.
2. Expand File Server Resource Manager (Local), and then click Classification Management.
Right-click Classification Properties, and then click Set Folder Management Properties.
QUESTION 51
* You have a server that runs Windows Server 2012 R2.
You create a new work folder named Share1.
You need to configure Share1 to meet the following requirements:
Ensure that all synchronized copies of Share1 are encrypted. Ensure that clients synchronize to Share1 every
30 minutes. Ensure that Share1 inherits the NTFS permissions of the parent folder.
Which cmdlet should you use to achieve each requirement?
To answer, drag the appropriate cmdlets to the correct requirements. Each cmdlet may be used once, more
Hot Area:
Correct Answer:
Section: (none)
Explanation
New-SyncShare OR Set-SyncShare -RequireEncryption <boolean>
Set-SyncServerSettings -MinimumChangeDetectionMins<UInt32>
Set-SyncShare -InheritParentFolderPermission
QUESTION 52
* Your network contains 20 iSCSI storage appliances that will provide storage for 50 Hyper-V hosts running
Windows Server 2012 R2.
You need to configure the storage for the Hyper-V hosts. The solution must minimize administrative effort.
What should you do first?
A.
B.
C.
D.
Install the iSCSI Target Server role service and configure iSCSI targets.
Install the iSNS Server service feature and create a Discovery Domain.
Start the Microsoft iSCSI Initiator Service and configure the iSCSI Initiator Properties
Install the Multipath I/O (MPIO) feature and configure the MPIO Properties.
Correct Answer: B
Section: (none)
Explanation
QUESTION 53
* You create a new virtual disk in a storage pool by using the New Virtual Disk Wizard. You discover that the
new virtual disk has a write-back cache of 1 GB.
You need to ensure that the virtual disk has a write-back cache of 5 GB.
What should you do?
A.
B.
C.
D.
Detach the virtual disk, and then run the Resize-VirtualDisk cmdlet
Detach the virtual disk, and then run the Set-VirtualDisk cmdlet
Delete the virtual disk, and then run the New-StorageSubSystemVirtualDisk cmdlet.
Delete the virtual disk, and then run the New-VirtualDisk cmdlet.
Correct Answer: D
Section: (none)
Explanation
You must set the write-back cache during the initial new disk creation. This setting is not configurable once the
VHD has been created.
QUESTION 54
*You have a server named Server1 that runs Windows Server 2012 R2.
Server1 has access to disks that connect to a RAID controller, iSCSI disks, and disks connected to a SCSI
controller.
You plan to use a tiered storage space on Server1.
You need to identify which storage controller and volume type you must use for the tiered storage space.
Which storage components should you use?
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 55
* You have a server named Server1 that runs Windows Server 2012 R2.
You are configuring a storage space on Server1.
You need to ensure that the storage space supports tiered storage.
Which settings should you configure?
Hot Area:
Correct Answer:
Section: (none)
Explanation
Note: When using Storage Tiers, only the Fixed provisioning type is supported.
http://blogs.technet.com/b/keithmayer/archive/2013/09/13/step-by-step-build-an-automated-storage-tiers-labwith-windows-server-2012-r2-and-powershell.aspx#.UzRcfvldXfs
QUESTION 56
Your network contains two Active Directory forests named contoso.com and adatum.com. Each forest contains
one domain.
Contoso.com has a two-way forest trust to adatum.com. Selective authentication is enabled on the forest trust.
Contoso contains 10 servers that have the File Server role service installed. Users successfully access shared
folders on the file servers by using permissions granted to the Authenticated Users group.
You migrate the file servers to adatum.com.
Contoso users report that after the migration, they are unable to access shared folders on the file servers.
You need to ensure that the Contoso users can access the shared folders on the file servers.
What should you do?
A.
B.
C.
D.
Disable selective authentication on the existing forest trust.

Disable SID filtering on the existing forest trust.
Run netdom and specify the /quarantine attribute.
Replace the existing forest trust with an external trust.
Correct Answer: B
Section: (none)
Explanation
Need to grant access to the resources in contoso.com
Selective authentication over a forest trust restricts access to only those users in a trusted forest who have
been explicitly given authentication permissions to computer objects (resource computers) that reside in the
trusting forest
SID Filtering
SID filtering is set on all trusts to prevent malicious users who have domain or enterprise administrator level
access in a trusted forest from granting (to themselves or other user accounts in their forest) elevated user
rights to a trusting forest. It does this by preventing misuse of the attributes containing SIDs on security
principals (including inetOrgPerson) in the trusted forest. One common example of an attribute that contains a
SID is the SID history attribute (sIDHistory) on a user account object. The SID history attribute is typically used
by domain administrators to seamlessly migrate the user and group accounts that are held by a security
principal from one domain to another.
When security principals are created in a domain, the domain SID is included in the SID of the principal to
identify the domain in which it was created. The domain SID is important because the Windows security
subsystem uses it to verify the identity of the security principal, which in turn determines what resources in the
domain the principal can access.
How SID History is used to migrate accounts
Domain administrators can simplify account migration by using the SID history attribute to migrate permissions,
either automatically by using the Active Directory Migration Tool (ADMT) or manually by adding SIDs from an
old user or group account to the SID history attribute of the new, migrated account. With either method, the new
account retains the same level of permissions or access to resources as the old account. If domain
administrators could not use the SID history attribute in this way, they would have to determine and reapply
permissions on each network resource to which the old account had access.
Implement business continuity and disaster recovery

QUESTION 1
* You have a server named File1 that runs Windows Server 2012. File1 has the File Server role service
installed.
You plan to back up all shared folders by using Microsoft Online Backup.
You download and install the Microsoft Online Backup Service Agent on File1.
You need to ensure that you use Windows Server Backup to back up data to Microsoft Online Backup.
What should you do?
A.
B.
C.
D.
From Computer Management, add the File1 computer account to the Backup Operators group.
From Windows Server Backup, run the Register Server Wizard.
From a command prompt, run wbadmin.exe enable backup.
From the Services console, modify the Log On settings of the Microsoft Online Backup Service Agent.
Correct Answer: B
Section: (none)
Explanation
Same question can show with Windows Azure Online Backup.
To register a server for use with Windows Azure Backup you must run the register server wizard
http://blogs.msdn.com/b/mvpawardprogram/archive/2012/11/12/configuring-online-backup-for-windows-server2012.aspx
QUESTION 2
* You have a file server named Server1 that runs Windows Server 2012. The folders on Server1 are configured
as shown in the following table.
A new corporate policy states that backups must use Microsoft Online Backup whenever possible.
You need to identify which technology you must use to back up Server1. The solution must use Microsoft
Online Backup whenever
What should you identify?
To answer, drag the appropriate backup type to the correct location or locations. Each backup type may be
used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view
content.
Select and Place:
Correct Answer:
Section: (none)
Explanation
Using Windows Azure Backup does not require that you install Windows Server Backup.
However, the two backup methods complement each other.
Windows Server Backup can perform tasks such as bare metal and system state restores, which are
not available by using Windows Azure Backup.
(System State Backup you still need to use the Local Backup option)
http://msdn.microsoft.com/en-us/library/windowsazure/hh831761.aspx
http://blogs.technet.com/b/askpfeplat/archive/2013/02/11/can-you-really-backup-windows-server-2012-towindows-azure.aspx
http://blogs.msdn.com/b/mvpawardprogram/archive/2012/11/12/configuring-online-backup-for-windows-server2012.aspx
QUESTION 3
You create a user account named User1 in the domain.
You need to ensure that User1 can use Windows Server Backup to back up Server1. The solution must
minimize the number of administrative rights assigned to User1.
What should you do?
A.
B.
C.
D.
Add User1 to the Backup Operators group.

Add User1 to the Power Users group.
Assign User1 the Backup files and directories user right and the Restore files and directories user right.
Assign User1 the Backup files and directories user right.
Correct Answer: D
Section: (none)
Explanation
Permissions and user rights required to back up and restore
You must have certain permissions and user rights to back up files and folders. If you are an administrator or a
backup operator in a local group, you can back up any file and folder on the local computer to which the local
group applies.
Likewise, if you are an administrator or backup operator on a domain controller you can back up any file and
folder locally on any computer in the domain or any computer on a domain with which you have a two-way trust
relationship.
Who has the "Back up files and directories" user right?
By default the Administrators group and the Backup Operators group, but an administrator can give it to any
account.
http://msdn.microsoft.com/en-us/library/ms813696.aspx
Backup Operators have these permissions by default:
However the question explicitly says we need to minimize administrative rights. Since the requirement is for
backing up the data only--no requirement to restore or shutdown--then assigning the "Back up files and
directories user right" would be the correct answer.
Assigning this user right can be a security risk. Since there is no way to be sure that a user is backing up data,
stealing data, or copying data to be distributed, only assign this user right to trusted users.
http://ntsecurity.nu/toolbox/nscopy/
QUESTION 4
* You have 20 servers that run Windows Server 2012.
You need to create a Windows PowerShell script that registers each server in Windows Azure Online Backup
and sets an encryption passphrase.
Which two PowerShell cmdlets should you run in the script? (Each correct answer presents part of the solution.
Choose two.)
A.
B.
C.
D.
E.
New-OBPolicy
New-OBRetentionPolicy
Add-OBFileSpec
Start-OBRegistration
Set-OBMachineSetting
Correct Answer: DE
Section: (none)
Explanation
Set-OBMachineSetting
Sets a OBMachineSetting object for the server.
Start-OBRegistration
Registers the current computer with Windows Azure Backup using the credentials (username and password)
created during enrollment.
$pwd = ConvertTo-SecureString -String "m!nh@S3nh@" -AsPlainText -Force
$cred = New-Object -TypeName System.Management.Automation.PsCredential -ArgumentList
"usuairo@endereco.onmicrosoft.com", $pwd
Start-OBRegistration -Credential $cred
$pass = ConvertTo-SecureString -String "1234567890123456" -AsPlainText -Force
Set-OBMachineSetting -EncryptionPassphrase $pass
http://dyegocomy.com/blog/windows-azure-online-backup/
QUESTION 5
* You have 30 servers that run Windows Server 2012.
All of the servers are backed up daily by using Windows Azure Online Backup.
You need to perform an immediate backup of all the servers to Windows Azure Online Backup.
Which Windows PowerShell cmdlets should you run on each server?
A.
B.
C.
D.
Get-OBPolicy | Start-OBBackup
Start-OBRegistration | Start-OBBackup
Get-WBPolicy | Start-WBBackup
Get-WBBackupTarget | Start-WBBackup
Correct Answer: A
Section: (none)
Explanation
Get-OBPolicy
Gets the current backup policy set for the server.
Start-OBBackup
Starts a one-time backup operation based on the specified OBPolicy.
QUESTION 6
* Your network contains two servers named Server1 and Server2 that run Windows Server 2012. Server1 and
Server2 have the Hyper-V server role installed.
Server1 and Server2 have different processor models from the same manufacturer.
On Server1, you plan to create a virtual machine named VM1. Eventually, VM1 will be exported to Server2.
You need to ensure that when you import VM1 to Server2, you can start VM1 from saved snapshots.
What should you configure on VM1?
Hot Area:
Correct Answer:
Section: (none)
Explanation
"Eventually, VM1 will be exported to Server2. You need to ensure that when you import VM1 to Server2, you
can start VM1 from saved snapshots."
You need to check processor compatibility before the snapshot is created.
When you take a snapshot of a running VM, Hyper-V briefly pauses the VM to create a new automatic virtual
hard disk (AVHD) which is essentially a differencing disk, attaches it to the VM to store changes to the VM data,
saves the processor state into a file (.bin), then resumes the VM.
http://download.microsoft.com/download/F/2/1/F2146213-4AC0-4C50-B69A-12428FF0B077/VM%20processor
%20compatibility%20mode.doc
http://www.shogan.co.uk/vmware/live-migrating-a-vm-on-a-hyper-v-failover-cluster-fails-processor-specificfeatures-not-supported/
http://social.technet.microsoft.com/Forums/windowsserver/en-US/57cdd7b4-099c-4bd4-9f4e-1bf83d206897/
live-migration-hyperv2012-fails-if-snapshots-are-present-id-1155?forum=winserverClustering
QUESTION 7
* Your network contains two servers named Server1 and Server 2. Both servers run Windows Server 2012 and
have the Hyper-V server role installed.
Server1 hosts a virtual machine named VM1. The virtual machine configuration files and the virtual hard disks
for VM1 are stored in D: \VM1.
You shut down VM1 on Server1.
You copy D:\VM1 to D:\VM1 on Server2.
You need to start VM1 on Server2. You want to achieve this goal by using the minimum amount of
administrative effort.
What should you do?
A.
B.
C.
D.
Run the Import-VMIntialReplication cmdlet.

Create a new virtual machine on Server2 and attach the VHD from VM1 to the new virtual machine.
From Hyper-V Manager, run the Import Virtual Machine wizard.
Run the Import-IscsiVirtualDisk cmdlet.
Correct Answer: C
Section: (none)
Explanation
QUESTION 8
* You have a Hyper-V host named Server1 that runs Windows Server 2012. Server1 contains a virtual machine
named VM1 that runs Windows Server 2012.
You fail to start VM1 and you suspect that the boot files on VM1 are corrupt.
On Server1, you attach the virtual hard disk (VHD) of VM1 and you assign the VHD a drive letter of F.
You need to repair the corrupt boot files on VM1.
A.
B.
C.
D.
bootrec.exe /rebuildbcd
bootrec.exe /scanos
bcdboot.exe f:\windows /s c:
bcdboot.exe c:\windows /s f:
Correct Answer: D
Section: (none)
Explanation
Bcdboot
Enables you to quickly set up a system partition, or to repair the boot environment located on the system
partition. The system partition is set up by copying a simple set of Boot Configuration Data (BCD) files to an
existing empty partition.
http://technet.microsoft.com/en-us/library/gg577238%28v=ws.10%29.aspx
QUESTION 9
You modify the properties of a system driver and you restart Server1.
You discover that Server1 continuously restarts without starting Windows Server 2012.
You need to start Windows Server 2012 on Server1 in the least amount of time. The solution must minimize the
amount of data loss.
Which Advanced Boot Option should you select?
A.
B.
C.
D.
Last Know Good Configuration (advanced)

Repair Your Computer
Disable automatic restart on system failure
Disable Driver Signature Enforcement
Correct Answer: A
Section: (none)
Explanation
http://windows.microsoft.com/en-ph/windows-vista/using-last-known-good-configuration
QUESTION 10
* Your network contains two servers named Server1 and Server2 that run Windows Server 2012. Both servers
have the Hyper-V server role installed. The servers have the hardware configurations shown in the following
table.
Server1 hosts five virtual machines that run Windows Server 2012.
You need to move the virtual machines from Server1 to Server2. The solution must minimize downtime.
What should you do for each virtual machine?
A. Export the virtual machines from Server1 and import the virtual machines to Server2.
B. Perform a live migration.
C. Perform a quick migration.
D. Perform a storage migration.

Correct Answer: A
Section: (none)
Explanation
When a Virtual Machine (VM) is started on a host, the Hypervisor exposes the set of supported processor
features available on the underlying hardware of that host to the VM. These sets of processor features are
called the guest visible processor features. This set of processor features is available to the VM until the VM is
restarted.
When a running VM is migrated to another host, Hyper-V first compares verifies processor features currently
available to the VM are also available on the destination host. If the destination processor does not support all
of the features available to the VM, the migration will fail.
So the conclusion is you cant do VM migration from an AMD host to an Intel host (with or without processor
compatibility mode), and vice versa. But you can firstly export a VM from an AMD host then import it to an Intel
host. Because during VM import, VM is essentially restarted in which case VM will relearn about processor
features available from the host.
Hyper-V VM Processor Compatibility
p.s.- Hyper-V replica support Hyper-V host in different CPU platform. When a Hyper-V Virtual Machine
replicated to replica server, just its data replicated to replica server, not the VM state.
QUESTION 11
Server1 has a single volume that is encrypted by using BitLocker Drive Encryption (BitLocker).
BitLocker is configured to save encryption keys to a Trusted Platform Module (TPM). Server1 is configured to
perform a daily system image backup.
The motherboard on Server1 is upgraded.
After the upgrade, Windows Server 2012 on Server1 fails to start.
You need to start the operating system on Server1 as soon as possible.
What should you do?
A. Start Server1 from the installation media. Run startrep.exe.

B. Move the disk to a server that has a model of the old motherboard. Start the server from the installation
media. Run bcdboot.exe.
C. Move the disk to a server that has a model of the old motherboard. Start the server. Run tpm.msc.
D. Start Server1 from the installation media. Perform a system image recovery.
Correct Answer: D
Section: (none)
Explanation
When a local administrator initializes BitLocker, the administrator should also create a recovery password or a
recovery key. Without a recovery key or recovery password, all data on the encrypted drive may be inaccessible
and unrecoverable if there is a problem with the BitLocker-protected drive.
Encryption keys are lost? Nothing mentioned about password/keys recovery.
My point is that the only way is to restore the server from a backup.
BitLocker treats unauthorized modification of any of the early boot components as a potential attack and will
place the system into recovery mode.
http://technet.microsoft.com/en-us/library/cc749022%28v=ws.10%29.aspx#BKMK_S2
http://social.technet.microsoft.com/Forums/windows/en-US/6b34b4da-b1e2-4038-8d6d-192f973cadea/usingsystem-image-with-a-bitlocker-system-drive?forum=w7itprosecurity
What causes BitLocker to start into recovery mode when attempting to start the operating system
drive?
http://technet.microsoft.com/en-us/library/ee449438%28v=WS.10%29.aspx#BKMK_examplesosrec
If there is an option to Start Server1 and type the BitLocker Recovery Password then this is the correct
option.
QUESTION 12
* You have a server named Server1 that runs Windows Server 2012. The volumes on Server1 are configured
A new corporate policy states that backups must use Windows Azure Online Backup whenever possible.
You need to identify which backup methods you must use to back up Server1. The solution must use Windows
Azure Online Backup whenever possible.
Which backup type should you identify for each volume?
To answer, select the appropriate backup type for each volume in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 13
* You have a server named Server1 that runs Windows Server 2012. Server1 has the Windows Deployment
Services server role installed. You back up Server1 each day by using Windows Server Backup.
The disk array on Server1 fails.
You replace the disk array.
You need to restore Server1 as quickly as possible.
What should you do?
A.
B.
C.
D.
Start Server1 from the Windows Server 2012 installation media.

Start Server1 and press F8.
Start Server1 and press Shift+F8.
Start Server1 by using the PXE.
Correct Answer: A
Section: (none)
Explanation
You can recover your server operating system or full server by using Windows Recovery Environment and a
backup that you created earlier with Windows Server Backup.
You can access the recovery and troubleshooting tools in Windows Recovery Environment through the System
Recovery Options dialog box in the Install Windows Wizard.
Windows 8 and Windows Server 2012 handle the recovery environment entirely different. It puts Windows RE
on the MSR partition by default. Note that Windows 8 may be booting to fast to reach the boot menu by
pressing F8. Instead you can hold down the shift key when pressing reboot on a started Windows 8. This will
allow you to choose how to proceed after rebooting the machine.
Recovery of the OS uses the Windows Setup Disc

http://blogs.sepago.de/d/nicholas/2012/07/25/windows-recovery-environment-re-explained
QUESTION 14
* Your network contains two servers named Server1 and Server2 that run Windows Server 2012.
Both servers have the Hyper-V server role installed. Server1 and Server2 are located in different offices. The
offices connect to each other by using a high-latency WAN link.
Server2 hosts a virtual machine named VM1.
You need to ensure that you can start VM1 on Server1 if Server2 fails. The solution must minimize hardware
costs.
What should you do?
A. On Server1, install the Multipath I/O (MPIO) feature. Modify the storage location of the VHDs for VM1.
B. From the Hyper-V Settings of Server2, modify the Replication Configuration settings.
Enable replication for VM1.
C. On Server2, install the Multipath I/O (MPIO) feature. Modify the storage location of the VHDs for VM1.
D. From the Hyper-V Settings of Server1, modify the Replication Configuration settings.
Enable replication for VM1.
Correct Answer: D
Section: (none)
Explanation
You first have to enable replication on the Replica server--Server1--by going to the server and modifying the
"Replication Configuration" settings under Hyper-V settings. You then go to VM1--which presides on Server2-and run the "Enable Replication" wizard on VM1.
QUESTION 15
servers named Server1 and Server2 that run Windows Server 2012. Both servers have the Hyper-V server role
installed.
The network contains an enterprise certification authority (CA). All servers are enrolled automatically for a
certificate-based on the Computer certificate template.
On Server1, you have a virtual machine named VM1. VM1 is replicated to Server2.
You need to encrypt the replication of VM1.
A.
B.
C.
D.
E.
F.
On Server1, modify the settings of VM1.

On Server2, modify the settings of VM1.
On Server2, modify the Hyper-V Settings.
On Server1, modify the Hyper-V Settings.
On Server1, modify the settings of the virtual switch to which VM1 is connected.
On Server2, modify the settings of the virtual switch to which VM1 is connected.
Correct Answer: AF
Section: (none)
Explanation
Modify replication settings of VM1 after enabling Replica on Server2
Enable Server2 as Hyper-V replica server
Once you change the Hyper-V Settings of Server 2 to encrypt replications with a certificate, you then need to
change the replication information of VM1 to use the secure connection.
QUESTION 16
* You have a server named Server1 that runs Windows Server 2012 and is used for testing.
A developer at your company creates and installs an unsigned kernel-mode driver on Server1. The developer
reports that Server1 will no longer start.
You need to ensure that the developer can test the new driver. The solution must minimize the amount of data
loss.
Which Advanced Boot Option should you select?
A. Disable Driver Signature Enforcement
B. Disable automatic restart on system failure

C. Last Know Good Configuration (advanced)
D. Repair Your Computer
Correct Answer: A
Section: (none)
Explanation
By default, 64-bit versions of Windows Vista and later versions of Windows will load a kernel-mode driver only if
the kernel can verify the driver signature. However, this default behavior can be disabled to facilitate early driver
development and non-automated testing.
http://msdn.microsoft.com/en-us/library/windows/hardware/ff547565(v=vs.85).aspx
QUESTION 17
Each day, Server1 is backed up fully to an external disk.
On Server1, the disk that contains the operating system fails. You replace the failed disk.
You need to perform a bare-metal recovery of Server1 by using the Windows Recovery Environment (Windows
RE).
What should you use?
A.
B.
C.
D.
Run the wbadmin.exe start sysrecovery command and specify the -backuptarget
Run the wbadmin.exe start recovery command and specify the -recoverytarget parameter
The Get-WBBareMetalRecovery cmdlet
The Start-WBVolumeRecovery cmdlet
Correct Answer: A
Section: (none)
Explanation
wbadmin start sysrecovery
Performs a system recovery (bare metal recovery) using the parameters that you specify.
This subcommand can be run only from the Windows Recovery Environment, and it is not listed by default in
the usage text of Wbadmin.
QUESTION 18
Server1 is backed up by using Windows Server Backup. The backup configuration is shown in the exhibit.
You discover that only the last copy of the backup is maintained.
You need to ensure that multiple backup copies are maintained.
What should you do?
Exhibit:
A.
B.
C.
D.
Modify the backup destination.

Configure the Optimize Backup Performance settings.
Modify the Volume Shadow Copy Service (VSS) settings.
Modify the backup times.
Correct Answer: A
Section: (none)
Explanation
QUESTION 19
Server1 and Server2 have the Hyper-V server role installed. The servers are configured as shown in the
following table.
You add a third server named Server3 to the network. Server3 has Intel processors.
You need to move VM3 and VM6 to Server3. The solution must minimize downtime on the virtual machines.
Which method should you use to move each virtual machine?
To answer, select the appropriate method for each virtual machine in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
When a Virtual Machine (VM) is started on a host, the Hypervisor exposes the set of supported processor
features available on the underlying hardware of that host to the VM. These sets of processor features are
called the guest visible processor features. This set of processor features is available to the VM until the VM is
restarted.
When a running VM is migrated to another host, Hyper-V first compares verifies processor features currently
available to the VM are also available on the destination host. If the destination processor does not support all
of the features available to the VM, the migration will fail.
So the conclusion is you cant do VM migration from an AMD host to an Intel host (with or without processor
compatibility mode), and vice versa. But you can firstly export a VM from an AMD host then import it to an Intel
host. Because during VM import, VM is essentially restarted in which case VM will relearn about processor
features available from the host.
Hyper-V VM Processor Compatibility
p.s.- Hyper-V replica support Hyper-V host in different CPU platform. When a Hyper-V Virtual Machine
replicated to replica server, just its data replicated to replica server, not the VM state.
QUESTION 20
When you install a custom Application on Server1 and restart the server, you receive the following error
message: "The Boot Configuration Data file is missing some required information.
File: \Boot\BCD
Error code: 0x0000034."
You start Server1 by using Windows PE.
You need to ensure that you can start Windows Server 2012 on Server1.
A.
B.
C.
D.
Bootsect
Bootim
Bootrec
Bootcfg
Correct Answer: C
Section: (none)
Explanation
Use the Bootrec.exe tool in the Windows Recovery Environment to troubleshoot and repair startup issues in
Windows
http://support.microsoft.com/kb/927392/en
QUESTION 21
*You perform a full installation of Windows Server 2012 on a virtual machine named Server1. You plan to use
Server1 as a reference image.
You need to minimize the amount of storage space used by the Windows Server 2012 installation.
Which cmdlet should you use?

A.
B.
C.
D.
Remove-Module
Optimize-VHD
Optimize-Volume
Uninstall-WindowsFeature
Correct Answer: B
Section: (none)
Explanation
Optimize-VHD
Optimizes the allocation of space used by virtual hard disk files, except for fixed virtual hard disks.
The Optimize-VHD cmdlet optimizes the allocation of space in or more virtual hard disk files, except for fixed
virtual hard disks. The Compact operation is used to optimize the files. This operation reclaims unused blocks
as well as rearranges the blocks to be more efficiently packed, which reduces the size of a virtual hard disk file.
QUESTION 22
* Your network contains two servers named HV1 and HV2. Both servers run Windows Server 2012 and have
the Hyper-V server role installed.
HV1 hosts 25 virtual machines. The virtual machine configuration files and the virtual hard disks are stored in
D:\VM.
You shut down all of the virtual machines on HV1.
You copy D:\VM to D:\VM on HV2.
You need to start all of the virtual machines on HV2. You want to achieve this goal by using the minimum
amount of administrative effort.
What should you do?
A. Run the Import-VMInitialReplication cmdlet.
B. From HV1, export all virtual machines to D:\VM. Copy D:\VM to D:\VM on HV2 and overwrite the existing
files. On HV2, run the Import Virtual Machine wizard.
C. From HV1, export all virtual machines to D:\VM. Copy D:\VM to D:\VM on HV2 and overwrite the existing
files. On HV2, run the New Virtual Machine wizard.
D. Run the Import-VM cmdlet.
Correct Answer: D
Section: (none)
Explanation
Import-VM
Imports a virtual machine from a file.
QUESTION 23
named Server1 and Server2 that run Windows Server 2012. Server1 is a file server that has the Hyper-V server
role installed.
Server1 hosts several virtual machines. The virtual machine configuration files are stored on drive D and the
VHD files are stored on drive E.
You plan to replace drive E with a larger volume.
You need to ensure that the virtual machines on Server1 remain available while drive E is being replaced.
What should you do?
A.
B.
C.
D.
Perform a quick migration.

Add Server1 and Server2 as nodes in a failover cluster.
Perform a live migration.
Perform a storage migration.
Correct Answer: D
Section: (none)
Explanation
One important note to make here we are very careful to not delete the source virtual hard disk until after the
virtual machine is successfully running on the destination virtual hard disk.
Hyper-V in Windows Server 2012 introduces support for moving virtual machine storage without downtime by
making it possible to move the storage while the virtual machine remains running.
http://blogs.msdn.com/b/virtual_pc_guy/archive/2012/03/14/how-does-storage-migration-actually-work.aspx
QUESTION 24
Server1 fails.
You identify that the master boot record (MBR) is corrupt.
You need to repair the MBR.
A.
B.
C.
D.
Bcdedit
Bcdboot
Bootrec
Fixmbr
Correct Answer: C
Section: (none)
Explanation
Windows
QUESTION 25
* Your network contains two servers that run Windows Server 2012 named Server1 and Server2. Both servers
have the File Server role service installed.
On Server2, you create a share named Backups.
From Windows Server Backup on Server1, you schedule a full backup to run every night. You set the backup
destination to \\Server2 \Backups.
After several weeks, you discover that \\Server2\Backups only contains the last backup that completed on
Server1.
You need to ensure that multiple backups of Server1 are maintained.
What should you do?
A.
B.
C.
D.
Modify the Volume Shadow Copy Service (VSS) settings.

Modify the properties of the Windows Store Service (WSService) service.
Change the backup destination,
Configure the permission of the Backups share.
Correct Answer: C
Section: (none)
Explanation
Don't you love Microsoft backups utility ??? ;) it's micro and soft ...
QUESTION 26
* You have a test server named Server1 that is configured to dual-boot between Windows Server 2008 R2 and
You start Server1 and you discover that the boot entry for Windows Server 2008 R2 no longer appears on the
boot menu.
You start Windows Server 2012 on Server1 and you discover the disk configurations shown in the following
table.
You need to restore the Windows Server 2008 R2 boot entry on Server1.
What should you do?
A.
B.
C.
D.
Run bootrec.exe and specify the /scanos parameter.

Run bcdedit.exe and specify the /create store parameter.
Run bootcfg.exe and specify the /copy parameter.
Run bootrec.exe and specify the /rebuildbcd parameter.
Correct Answer: D
Section: (none)
Explanation
Windows
Use the Bootrec.exe tool to troubleshoot "Bootmgr Is Missing" issue. If rebuilding the BCD does not resolve the
startup issue, you can export and delete the BCD, and then run this option again. By doing this, you make sure
that the BCD is completely rebuilt.
To do this, type the following commands at the Windows RE command prompt:
bcdedit /export C:\BCD_Backup
c:
cd boot
attrib bcd -s -h -r
ren c:\boot\bcd bcd.old
bootrec /RebuildBcd
QUESTION 27
* You are employed as a network administrator at contoso.com. Contoso.com has a single Active Directory
domain named contoso.com. All servers on the contoso.com network have windows server 2012 installed.
You are preparing to install a third-party application on a contoso.com server, named SERVER1. You find that
the application is unable to install completely due to its driver not being digitally signed.
You want to make sure that the application can be installed successfully.
Which of the following actions should you take_?
A. You should consider downloading a signed driver
B. You should consider having SERVER1 is restored to an earlier date
C. You should consider making use of the Disable Driver Signature Enforcement option from the Advanced
Boot Option.
D. You should consider restarting SERVER1 in safe Mode
Correct Answer: C
Section: (none)
Explanation
Disable Driver Signature Enforcement from Advanced Boot Options allows the OS to load without the signed
driver requirements
QUESTION 28
Windows Server 2012 is installed on volume C.
You need to ensure that Safe Mode with Command Prompt loads the next time Server1 restarts.
A.
B.
C.
D.
The Restart-Server cmdlet

The Bootcfg command
The Restart-Computer cmdlet
The Bcdedit command
Correct Answer: D
Section: (none)
Explanation
Boot Configuration Data (BCD) files provide a store that is used to describe boot applications and boot
application settings.
http://msdn.microsoft.com/en-us/library/windows/hardware/ff542202%28v=vs.85%29.aspx
You can see with msconfig tool that boot options have changed as follows:
NOTE: Alternate Shell may be used
After reboot you should remove the safeboot option using bcdedit:
- bcdedit /deletevalue safeboot
QUESTION 29
* Your network contains an Active Directory domain named contoso.com. The domain contains a server named
Server1 that runs Windows Server 2012.
You need to ensure that a WIM file that is located on a network share is used as the installation source when
installing server roles and features on Server1.
A. Run the dism.exe command and specify the /remove-package parameter.
B. Run the Remove-WindowsFeature cmdlet.
C. Enable and configure the Specify settings for optional component installation and component repair policy
setting by using a Group Policy object (GPO).
D. Enable the Enforce upgrade component rules policy setting by using a Group Policy object (GPO).
E. Run the Remove-WindowsPackage cmdlet.
Correct Answer: AC
Section: (none)
Explanation
A: To remove packages from an offline image by using DISM Example: At a command prompt, specify the
package identity to remove it from the image. You can remove multiple packages on one command line. DISM /
Image:C:\test\offline /Remove-Package
/PackageName:Microsoft.Windows.Calc.Demo~6595b6144ccf1df~x86~en~1.0.0.0 /PackageName:MicrosoftWindows-MediaPlayerPackage~31bf3856ad364e35~x86~~6.1.6801.0
C: * You can use Group Policy to specify a Windows image repair source to use within your network. The repair
source can be used to restore Windows features or to repair a corrupted Windows image.
* Set Group Policy
You can use Group Policy to specify when to use Windows Update, or a network location as a repair source for
features on demand and automatic corruption repair.
To configure Group Policy for Feature on Demand
Open the group policy editor. For example, on a computer that is running Windows 8, click Search, click
Settings, type Edit Group Policy, and then select the Edit Group Policy setting.
Click Computer Configuration, click Administrative Templates, click System, and then double-click the Specify
settings for optional component uninstallation and component repair setting.
Select the settings that you want to use for Features on Demand.
Note:
* The Windows Imaging Format (WIM) is a file-based disk image format. It was developed by Microsoft to help
deploy Windows Vista and subsequent versions of Windows operating system family, as well as Windows
Fundamentals for Legacy PCs.
QUESTION 30
You have 3 server named Server1 that runs Windows Server 2012.
You are asked to test Windows Azure Online Backup to back up Server1.
You need to back up Server1 by using Windows Azure Online Backup.
Which four actions should you perform in sequence?
To answer, move the appropriate four actions from the list of actions to the answer area and arrange them in
the correct order.
Select and Place:
Correct Answer:
Section: (none)
Explanation
QUESTION 31
You have a server named Server1 that runs Windows Server 2012.
Windows Server 2012 is installed on volume C.
You need to ensure that Safe Mode with Networking loads the next time Server1 restarts.

A.
B.
C.
D.
The Msconfig command

The Restart-Server cmdlet
The Restart-Computer cmdlet
The Bootcfg command
Correct Answer: A
Section: (none)
Explanation
QUESTION 32
* You perform a Server Core Install of Windows 2012 R2 on a server named Server1. You neet do add a
graPHIcal user interface GUI. Which tool should you use ?
A.
B.
C.
D.
the dism.exe command

the ocsetup.exe command
the setup.exe command
the install-module cmdlet
Correct Answer: D
Section: (none)
Explanation
QUESTION 33
* Your network contains two servers named Server 1 and Server 2. Both servers run Windows 2012 R2. On
server1 you create a Data collector Set (DCS) named Data1. You need to export Data1 to Server2. What
should you do first ?
A.
B.
C.
D.
Right-click Data1 and click Data Manager...

Right-click Data1 and click and Save template ...
Right-click Data1 and click Properties...
Right-click Data1 and click Export list...
Correct Answer: B
Section: (none)
Explanation
QUESTION 34
* You are employed as a network admin at ABC.com ABC.com has an AD domain named ABC.com. All the
servers are Windows 2012R2. ABC has a server named server1 which has been configured to run the Hyper-V
server role. Server1 is configures to host multiples VM. When ABC acquires a server with a better hardware
configuration. You are instructed to relocate the VM to the new servers with as little interruptions as possible.
Which of the following actions should you take ? (choose all that apply).
A.
B.
C.
D.
You should consider exporting the VM's from Server1

You should consider running a snapshot backup of the server1
You should consider importing the VM from Server1 to the new server.
You should consider restoring the snapshot backup on the hard drives of the new server.
Correct Answer: AC
Section: (none)
Explanation
QUESTION 35
* Your network contains two servers named Server 1 and Server 2. Both servers run Windows 2012 R2. On
server1 you create a Data collector Set (DCS) named DCS1. You need to configure DCS1 to log data to D:
\logs. What should you do ?
A.
B.
C.
D.
Right-click Data1 and click Data Manager...

Right-click Data1 and click and Save template ...
Right-click Data1 and click Properties...
Right-click Data1 and click Export list...
Correct Answer: C
Section: (none)
Explanation
QUESTION 36
* Your network contains three servers named HV1, HV2, and Server1 that run Windows Server 2012 R2. HV1
and HV2 have the Hyper-V server role installed. Server1 is a file server that contains 3 TB of free disk space.
HV1 hosts a virtual machine named VM1. The virtual machine configuration file for VM1 is stored in D:\VM and
the virtual hard disk file is stored in E:\VHD.

You plan to replace drive E with a larger volume.
You need to ensure that VM1 remains available from HV1 while drive E is being replaced. You want to achieve
this goal by using the minimum amount of administrative effort.
What should you do?
A.
B.
C.
D.
Perform a live migration to HV2.

Add HV1 and HV2 as nodes in a failover cluster. Perform a storage migration to HV2.
Add HV1 and HV2 as nodes in a failover cluster. Perform a live migration to HV2.
Perform a storage migration to Server1.
Correct Answer: D
Section: (none)
Explanation
QUESTION 37
* You have a virtual machine named VM1 that runs on a host named Host1.
You configure VM1 to replicate to another host named Host2. Host2 is located in the same physical location as
Host1.
You need to add an additional replica of VM1. The replica will be located in a different physical site.
What should you do?
A.
B.
C.
D.
From VM1 on Host2, click Extend Replication.

On Host1, configure the Hyper-V settings.
From VM1 on Host1, click Extend Replication.
On Host2, configure the Hyper-V settings.
Correct Answer: A
Section: (none)
Explanation
http://blogs.technet.com/b/virtualization/archive/2013/12/10/hyper-v-replica-extend-replication.aspx
Once that is done, go to replica site and from Hyper-V UI manager select the VM for which you want to extend
the replication. Right click on VM and select Replication->Extend Replication . This will open Extend
Replication Wizard which is similar to Enable Replication Wizard.
NOTE: You configure a server to receive replication with Hyper-V Manager, in this situation the replica
site is assumed to be the Replica Server. Therefore you extend replication from VM1 on Host2.
Configure Network Services

QUESTION 1
* You have a DHCP server named Server1. Server1 has one network adapter. Server1 is located on a subnet
named Subnet1. Server1 has scope named Scope1. Scope1 contains IP addresses for the 192.168.1.0/24
network.
Your company is migrating the IP addresses on Subnet1 to use a network ID of 10.10.0.0/16.
On Server1, you create a scope named Scope2. Scope2 contains IP addresses for the 10.10.0.0/16 network.
You need to ensure that clients on Subnet1 can receive IP addresses from either scope.
What should you create on Server1?
A.
B.
C.
D.
A multicast scope
A scope
A superscope
A split-scope
Correct Answer: C
Section: (none)
Explanation
QUESTION 2
named Server1 and Server2 that run Windows Server 2012. Server1 has the IP Address Management (IPAM)
Server feature installed. Server2 has the DHCP Server server role installed.
A user named User1 is a member of the IPAM Users group on Server1.
You need to ensure that User1 can use IPAM to modify the DHCP scopes on Server2. The solution must
minimize the number of permissions assigned to User1.
To which group should you add User1?
A.
B.
C.
D.
DHCP Administrators on Server2

IPAM ASM Administrators on Server1
IPAMUG in Active Directory
IPAM MSM Administrators on Server1
Correct Answer: A
Section: (none)
Explanation
IPAM in Windows Server 2012 is a new built-in framework for discovering, monitoring, auditing, and managing
the IP address space used on your network
IPAM provides a dynamic view of your IP infrastructure, and the view is continually refreshed by periodic tasks
that run on the IPAM server. IPAM also enables administrators to perform several configuration actions directly
from the IPAM console.
The Universal Security Group IPAMUG is created in your Active Directory domain when you install the IPAM
feature. Permissions in DNS and DHCP are keyed to this security group. Make sure the group has been
created and that the computer account of your IPAM server is a member of the group.
Problem: You are unable to make configuration changes on a DHCP server or scope.
Solution: Verify that DHCP RPC firewall ports are enabled on the target DHCP server, and that you are signed
in with an account that has DHCP Administrators privileges on the target DHCP server .
QUESTION 3
named Server1 and Server2 that run Windows Server 2012. Server1 has the DHCP Server server role
installed. Server2 has the Hyper-V server role installed.
Server2 has an IP address of 192.168.10.50.
Server1 has a scope named Scope1 for the 192.168.10.0/24 network.
You plan to deploy 20 virtual machines on Server2 that will be connected to the external network. The MAC
addresses for the virtual machines will begin with 00-15-SD-83-03.
You need to configure Server1 to offer the virtual machines IP addresses from 192.168.10.200 to
192.168.10.219. Physical computers on the network must be offered IP addresses outside this range. You want
to achieve this goal by using the minimum amount of administrative effort.
What should you do from the DHCP console?
A.
B.
C.
D.
Create reservations.
Create a policy.
Delete Scope1 and create two new scopes.
Configure Allow filters and Deny filters.
Correct Answer: B
Section: (none)
Explanation
DHCP policy based assignment
With a DHCP server running Windows Server 2012, administrators can define an address assignment policy at
the server level or scope level. A policy contains a set of conditions to evaluate when processing client
requests.
The following fields in the DHCP client request are available when defining policies.
Vendor Class
User Class
MAC address
Client Identifier
Relay Agent Information
http://technet.microsoft.com/en-us/library/hh831538.aspx#pba_2a
QUESTION 4
named Server1 and Server2. Both servers have the IP Address Management (IPAM) Server feature installed.
You have a support technician named Tech1. Tech1 is a member of the IPAM Administrators group on Server1
and Server2.
You need to ensure that Tech1 can use Server Manager on Server1 to manage IPAM on Server2.
To which group on Server2 should you add Tech1.
A.
B.
C.
D.
Remote Management Users

IPAM MSM Administrators
IPAM Administrators
WinRMRemoteWMIUsers
Correct Answer: D
Section: (none)
Explanation
IPAM is an agentless multi-server, multi-service management feature that leverages standard Windows remote
management protocols to manage, monitor and collect data from IP address infrastructure servers. IPAM relies
on a host of remote management technologies to provide full functionality. Communication with multiple
network elements throughout the enterprise is required for data gathering and configuration management.
Depending on the scope of managed elements, this communication may need to traverse multiple security
boundaries or domains.
If you are accessing the IPAM server from a remote IPAM client, you must be a member of the
WinRMRemoteWMIUsers group on the IPAM server , in addition to being a member of the appropriate local
IPAM security group.
http://msdn.microsoft.com/en-us/library/aa384463%28v=vs.85%29.aspx
QUESTION 5
* You have a DNS server named Server1 that runs Windows Server 2012. Server1 has a signed zone for
contoso.com.
You need to configure DNS clients to perform DNSSEC validation for the contoso.com DNS domain.
A.
B.
C.
D.
The Network Connection settings

A Name Resolution Policy
The Network Location settings
The DNS Client settings
Correct Answer: B
Section: (none)
Explanation
http://technet.microsoft.com/en-us/library/ee649182(v=ws.10).aspx
QUESTION 6
controller named DC1 and a member server named Server1.
Server1 has the IP Address Management (IPAM) Server feature installed.
On DC1, you configure Windows Firewall to allow all of the necessary inbound ports for IPAM.
On Server1, you open Server Manager as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that you can use IPAM on Server1 to manage DNS on DC1.
What should you do?

Exhibit:
A.
B.
C.
D.
Modify the outbound firewall rules on Server1.

Modify the inbound firewall rules on Server1.
Add Server1 to the Remote Management Users group.
Add Server1 to the Event Log Readers group.
Correct Answer: D
Section: (none)
Explanation
Event Log Readers group, members of this group are granted 'read' permissions on the Event Log. This group
doesn't have any users by default.
IPAM provides a dynamic view of your IP infrastructure, and the view is continually refreshed by periodic tasks
that run on the IPAM server. IPAM also enables administrators to perform several configuration actions directly
from the IPAM console. IPAM is not enabled by default and must be installed as a server feature. You can
install IPAM using the Add Roles and Features Wizard in Server Manager, or using Windows PowerShell.
QUESTION 7
* Your network contains an Active Directory domain named contoso.com. The domain contains servers named
Server1 and Server2 that run Windows Server 2012. Server1 has the IP Address Management (IPAM) Server
feature installed.
You install the IPAM client on Server2.
You open Server Manager on Server2 as shown in the exhibit. (Click the Exhibit button.)
You need to manage IPAM from Server2.
Exhibit:
A.
B.
C.
D.
On Server1, add the Server2 computer account to the IPAM MSM Administrators group.
On Server2, open Computer Management and connect to Server1.
On Server2, add Server1 to Server Manager.
On Server1, add the Server2 computer account to the IPAM ASM Administrators group.
Correct Answer: C
Section: (none)
Explanation
NOTE: Servers Total: 1
QUESTION 8
controller named DC1. DC1 has the DNS Server server role installed.
The network has two sites named Site1 and Site2. Site1 uses 10.10.0.0/16 IP addresses and Site2 uses
10.11.0.0/16 IP addresses. All computers use DC1 as their DNS server.
The domain contains four servers named Server1, Server2, Server3, and Server4. All of the servers run a
service named Service1.
DNS host records are configured as shown in the exhibit. (Click the Exhibit button.)
You discover that computers from the 10.10.1.0/24 network always resolve Service1 to the IP address of
Server1.
You need to configure DNS on DC1 to distribute computers in Site1 between Server1 and Server2 when the
computers attempt to resolve Service1.
What should run on DC1?
Exhibit:
A.
B.
C.
D.
dnscmd /config /bindsecondaries 1

dnscmd /config /localnetpriority 0
dnscmd /config /localnetprioritynetmask 0x0000ffff
dnscmd /config /roundrobin 0
Correct Answer: C
Section: (none)
Explanation
You can use the Dnscmd /Config /LocalNetPriorityNetMask 0x0000FFFF command to use class B ( or 16 bit)
for netmask ordering for DNS round robin
http://msmvps.com/blogs/acefekay/archive/2010/05/29/dns-and-subnet-priortization-amp-dns-round-robin.aspx
QUESTION 9
* You have a server named Server 1 that runs Windows Server 2012. Server1 has five network adapters.
Three of the network adapters are connected to a network named LAN1. The two other network adapters are
connected to a network named LAN2.
You create a network adapter team named Team1 from two of the adapters connected to LAN1. You create a
network adapter team named Team2 from the two adapters connected to LAN2. A company policy states that
all server IP addresses must be assigned by using a reserved address in DHCP. You need to identify how
many DHCP reservations you must create for Server1.
How many reservations should you identify?
A.
B.
C.
D.
2
3
5
7
Correct Answer: B
Section: (none)
Explanation
Initial:
3 adapters on LAN 1
2 adapters on LAN 2
After Team:
LAN 1 teams 2 adapters in a team.
LAN 2 teams 2 adapters in a team
Resulting:
1 team on LAN 1 + adapter on LAN 1 + 1 team on LAN 2 = 3 adapters.
QUESTION 10
Server1 that runs Windows Server 2012. Server1 has the IP Address Management (IPAM) Server feature
installed. IPAM is configured currently for Group Policy-based provisioning. You need to change the IPAM
provisioning method on Server1. What should you do?
A.
B.
C.
D.
Run the ipamgc.exe command.

Run the Set-IPAMConfiguration cmdlet.
Reinstall the IP Address Management (IPAM) Server feature.
Delete IPAM Group Policy objects (GPOs) from the domain.
Correct Answer: C
Section: (none)
Explanation
QUESTION 11
controller named DC1 that runs Windows Server 2012. DC1 has the DHCP Server server role installed.
DHCP is configured as shown in the exhibit. (Click the Exhibit button.)
You discover that client computers cannot obtain IPv4 addresses from DC1.
You need to ensure that the client computers can obtain IPv4 addresses from DC1.
What should you do?
Exhibit:
A.
B.
C.
D.
Activate the scope.

Authorize DC1.
Disable the Allow filters.
Disable the Deny filters.
Correct Answer: C
Section: (none)
Explanation
There is no items in the deny List. So it means that client computers MAC addresses is not listed in the allow
list. So we have to disable the "Allow Filters"
The DHCP server provides DHCP services only to clients whose MAC addresses are in the allow list. Any client
that previously received IP addresses is denied address renewal if its MAC address isnt on the allow list.
http://technet.microsoft.com/en-us/magazine/ff521761.aspx
QUESTION 12
named Server1 and Server2. Both servers have the IP Address Management (IPAM) Server feature installed.
You have a support technician named Tech1. Tech1 is a member of the IPAM Administrators group on Server1
and Server2. You need to ensure that Tech1 can use Server Manager on Server1 to manage IPAM on Server2.
To which group on Server2 should you add Tech1? To answer, select the appropriate group in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
IPAM is an agentless multi-server, multi-service management feature that leverages standard Windows remote
management protocols to manage, monitor and collect data from IP address infrastructure servers. IPAM relies
on a host of remote management technologies to provide full functionality. Communication with multiple
network elements throughout the enterprise is required for data gathering and configuration management.
Depending on the scope of managed elements, this communication may need to traverse multiple security
boundaries or domains.
If you are accessing the IPAM server from a remote IPAM client, you must be a member of the
WinRMRemoteWMIUsers group on the IPAM server , in addition to being a member of the appropriate local
IPAM security group.
http://msdn.microsoft.com/en-us/library/aa384463%28v=vs.85%29.aspx
QUESTION 13
* (A) Your network contains an Active Directory domain named contoso.com. The domain contains a server
named Server1 that runs Windows Server 2012 and has the DNS Server server role installed.
Server1 is configured to use a DNS server from an Internet Service Provider (ISP) as a forwarder.
Corporate management requires that client computers only resolve names of contoso.com computers.
You need to configure Server1 to resolve names in the contoso.com zone only.
A.
B.
C.
D.
From DNS Manager, modify the root hints of Server1.

From Windows PowerShell, run the Remove-DnsServerForwarder cmdlet.
From Windows PowerShell, run the Set-NetDnsTransitionConfiguration cmdlet.
From DNS Manager, modify the Advanced properties of Server1.
Correct Answer: D
Section: (none)
Explanation
QUESTION 14
* You have a server named Server1 that runs Windows Server 2012. Server1 is located in the perimeter
network and has the DNS Server server role installed.
Server1 has a zone named contoso.com.
You Apply a security template to Server1.
After you Apply the template, users report that they can no longer resolve names from contoso.com.
On Server1, you open DNS Manager as shown in the DNS exhibit. (Click the Exhibit button.)
On Server1, you open Windows Firewall with Advanced Security as shown in the Firewall exhibit. (Click the
Exhibit button.)
You need to ensure that users can resolve contoso.com names.
What should you do?
DNS (exhibit):
Firewall (exhibit):
A. From Windows Firewall with Advanced Security, disable the DNS (TCP, Incoming) rule and the DNS (UDP,
Incoming) rule.
B. From DNS Manager, modify the Zone Transfers settings of the contoso.com zone.
C. From DNS Manager, unsign the contoso.com zone.
D. From DNS Manager, modify the Start of Authority (SOA) of the contoso.com zone.
E. From Windows Firewall with Advanced Security, modify the profiles of the DNS (TCP, Incoming) rule and
the DNS (UDP, Incoming) rule.
Correct Answer: E
Section: (none)
Explanation
QUESTION 15
* Your network contains two DHCP servers named Server1 and Server2. Server1 fails.
You discover that DHCP clients can no longer receive IP address leases.
You need to ensure that the DHCP clients receive IP addresses immediately.
What should you configure from the View/Edit Failover Relationship settings? To answer, select the appropriate
setting in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 16
* Your network contains two DNS servers named DN51 and DNS2 that run Windows Server 2012.
DNS1 has a primary zone named contoso.com. DNS2 has a secondary copy of the contoso.com zone.
You need to log the zone transfer packets sent between DNS1 and DNS2.
A.
B.
C.
D.
Monitoring from DNS Manager

Logging from Windows Firewall with Advanced Security
A Data Collector Set (DCS) from Performance Monitor
Debug logging from DNS Manager
Correct Answer: D
Section: (none)
Explanation
You can use DNS Manager to selectively enable additional debug logging options for temporary trace logging
to a text-based file of DNS server activity. The file that is created and used for this feature, Dns.log, is stored in
the %systemroot%\System32\Dns folder.
Using debug logging options slows DNS server performance. For this reason, all debug logging options are
disabled by default.
QUESTION 17
Server3 that runs Windows Server 2012 and has the DHCP Server server role installed.
You need to ensure that only Scope1, Scope3, and Scope5 assign the same DNS servers to DHCP clients.
The solution must minimize administrative effort.
What should you do?
Exhibit:
A.
B.
C.
D.
Create a superscope and scope-level policies.

Configure the Scope Options.
Create a superscope and a filter.
Configure the Server Options.
Correct Answer: B
Section: (none)
Explanation
When you finish creating a new scope, you might need to complete additional tasks, such as activating the
scope for use or assigning scope options.
After a scope has been created, you can configure several DHCP options. These can be configured at one of
four levels: Server, Scope, Class or Client
Any options configured at the scope or client levels override those configured at the server level.
http://technet.microsoft.com/en-us/library/cc757682(v=WS.10).aspx
QUESTION 18
*You are employed as a senior network administrator at contoso.com contoso.com has an active directory
domain named contoso.com. All servers on the contoso.com network have windows server 2012 installed.
You are currently running at training exercise for junior network administrators. You are discussing the
DNSSEC NRPT rule properly.
Which of the following describes the purpose of this rule property?
A. It is used to indicate the namespace to which the policy applies.
B. It is used to indicate whether the DNS client should check for DNSSEC validation in the response.
C. It is used to indicate DNSSEC must be used to protect DNS traffic for queries belonging to the namespace.
D. It is used to indicate whether DNS connections over DNSSEC will use encryption
Correct Answer: B
Section: (none)
Explanation
The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the
Windows Registry that determines the DNS clients behavior when issuing queries and processing responses.
Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues
queries. Before issuing name resolution queries, the DNS client will consult the NRPT to determine if any
additional flags must be set in the query. Upon receiving the response, the client will again consult the NRPT to
determine any special processing or policy requirements. In the absence of the NRPT, the client will operate in
a normal fashion.
The NRPT stores configurations and settings that are used to deploy DNS Security Extensions
(DNSSEC), and also stores information related to DirectAccess, a remote access technology.
The NRPT can be configured using Group Policy or by using the Windows Registry.
QUESTION 19
* You work as an administrator at contoso.com. Contoso.com network consists of a single domain named
contoso.com. All servers on the contoso.com network have Windows server 2012 installed.
Contoso.com has a server, named SERVER1,which has the AD DS,DHCP and DNS server roles installed.
Contoso.com also has a server named SERVER2, which has the DHCP and Remote Access Server Role
installed. You have configured SERVER3, which has the File and Storage Services Server role installed to
automatically acquire an IP address.
You then create a filter on SERVER1
Which of the following is a reason for this configuration?
A.
B.
C.
D.
To make sure that SERVER1 issues Server3 an IP address.

To make sure that SERVER1 does not issue SERVER3 an IP address
To make sure that SERVER3 acquires a constant IP address from SERVER2 only.
To make sure that SERVER3 is configured with a static IP address
Correct Answer: B
Section: (none)
Explanation
Filter would not allow SERVER1 to issue SERVER3 an IP
Enable filtering
Open the DHCP console and from the Properties of the IPv4 node, select the Filters tab. Check the box to
Enable Deny List. Click OK.
Note: Do not Enable the Allow list! Doing so will cause DCHP to operate on a Whilelist which require you to
create an Allow List entry for every MAC address that should be given an IP address. By default, DHCP
operates on a Blacklist which allows all MACs to be given an IP except for ones explicitly defined on the Deny
List.
http://www.concurrency.com/blog/dhcp-filtering/
QUESTION 20
Server1 that runs Windows Server 2012 and has the DNS Server server role installed.
Server1 has a zone named contoso.com. The zone is configured as shown in the exhibit.
You need to assign a user named User1 permission to add and delete records from the contoso.com zone
only.
Exhibit:
A.
B.
C.
D.
Enable the Advanced view from DNS Manager.

Add User1 to the DnsUpdateProxy group.
Run the New Delegation Wizard.
Configure the zone to be Active Directory-integrated.
Correct Answer: D
Section: (none)
Explanation
QUESTION 21
controller named DC1 that runs Windows Server 2012.
DC1 has the DNS Server server role installed.
The network contains client computers that run either Linux, Windows 7, or Windows 8.
You have a standard primary zone named adatum.com as shown in the exhibit. (Click the Exhibit button.)
You plan to configure Name Protection on all of the DHCP servers.
You need to configure the adatum.com zone to support Name Protection.
Which two configurations should you perform from DNS Manager? (Each correct answer presents part of the
Exhibit:
A.
B.
C.
D.
Sign the zone.

Store the zone in Active Directory.
Modify the Security settings of the zone.
Configure Dynamic updates.
Correct Answer: BD
Section: (none)
Explanation
QUESTION 22
You need to create an IPv6 scope on Server1. The scope must use an address space that is reserved for
private networks. The addresses must be routable.
Which IPV6 scope prefix should you use?
A.
B.
C.
D.
FF00::
2001::
FD00:123:4567::
FE80::
Correct Answer: C
Section: (none)
Explanation
Option FC00:123:4567:: is reported to show too at exam.

The block fd00::/8 is defined for /48 prefixes, formed by setting the 40 least-significant bits of the prefix to a
randomly generated bit string. This results in the format fdxx:xxxx:xxxx:: for a prefix in this range.
http://en.wikipedia.org/wiki/Unique_local_address
http://technet.microsoft.com/en-us/library/gg144561(v=exchg.141).aspx
QUESTION 23
* Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2012.
All domain controllers have the DNS Server server role installed.
You have a domain controller named DC1.
On DC1, you create an Active Directory-integrated zone named adatum.com and you sign the zone by using
DNSSEC.
You deploy a new read-only domain controller (RODC) named RODC1.
You need to ensure that the contoso.com zone replicates to RODC1.
What should you configure on DC1?
To answer, select the appropriate tab in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 24
controller named DC2 that runs Windows Server 2012. DC2 has the DHCP Server server role installed.
You discover that client computers cannot obtain IPv4 addresses from DC2.
You need to ensure that the client computers can obtain IPv4 addresses from DC2.
What should you do?
Exhibit:
A.
B.
C.
D.
Disable the Deny filters.

Enable the Allow filters.
Authorize DC2.
Restart the DHCP Server service
Correct Answer: C
Section: (none)
Explanation
http://technet.microsoft.com/en-us/library/gg722802%28v=ws.10%29.aspx
QUESTION 25
Server1 has a scope named Scope1. A policy named Policy1 is configured for Scope1. Policy1 is configured to
provide Hyper-V virtual machines a one-day lease. All other computers receive an eight-day lease.
You implement an additional DHCP server named Server2 that runs Windows Server 2012.
On Server1, you configure Scope1 for DHCP failover.
You discover that virtual machines that receive IP addresses from Server2 have a lease duration of eight days.
You need to ensure that when Server2 assigns IP addresses to the Hyper-V virtual machines, the lease
duration is one day. The solution must ensure that other computers that receive IP addresses from Server2
have a lease duration of eight days.
What should you do?
A.
B.
C.
D.
On Server2, create a new DHCP policy.

On Server1, right-click Scope1, and then click Replicate Scope.
On Server1, delete Policy1, and then recreate the policy.
On Server2. right-click Scope1, and then click Reconcile.
Correct Answer: B
Section: (none)
Explanation
Windows Server 2012 includes a new policy based IP address assignment feature, which allows a Windows
DHCP administrator to group the DHCP clients by a specific attribute of the client, such as vendor class, user
class, client identifier, or MAC address. By grouping the clients based on these attributes, an administrator is
able to assign parameters such as IP address, default gateway, DNS server and other DHCP options to a
specific grouping of clients. This allows the administrator to exercise greater control on the configuration
parameters delivered to end hosts. This feature introduces the concept of multiple IP address ranges within a
single scope. To accommodate this, DHCP failover address distribution in load sharing mode is done on a per
IP address range basis.
The Replicate scope action in DHCP MMC replicates (makes identical copy) of the entire scope configuration
from the node on which you invoke the replicate action to the partner server of the failover relationship.
The expected usage of this action is Admin performs any configuration change on a scope on a server and
then invokes replicate scope action on the same server to ensure that identical configuration change is affected
on the partner server of the failover relationship. The configuration change - add/delete reservation/policies or
any other scope configuration needs to be followed up with a replicate scope action to ensure that the partner
server has identical configuration.
You may also want to consider using this script for automatic syncing of configuration changes between 2
failover servers which will obviate the need for using the replicate scope action.
Just a quick note - if you have special Predefined Options (ie - vendor class identfier definitions, like Option 60
for Aruba access points) in the "first" DHCP server, you have to manually predefine them in the "second" server
before setting up the failover. The failover setup won't copy them over. But, it will copy over definitions in the
scope (ie - like the Option 43 setting response for the Aruba APs).
http://terrytlslau.tls1.cc/2012/04/configuring-dhcp-failover-in-windows.html
Automatic syncing of configuration changes between 2 DHCP failover servers
http://social.technet.microsoft.com/Forums/windowsserver/en-US/a5884d03-31e2-46ea-ab89-645ef20f0ad6/
windows-server-2012-dhcp-failover-replicating-function-performs-overwrite-?forum=winserverNIS
QUESTION 26
An administrator installs the IP Address Management (IPAM) Server feature on a server named Server2. The
administrator configures IPAM by using Group Policy based provisioning and starts server discovery.
You plan to create Group Policies for IPAM provisioning.
You need to identify which Group Policy object (GPO) name prefix must be used for IPAM Group Policies.
A.
B.
C.
D.
From Server Manager, review the IPAM overview.

Run the ipamgc.exe tool.
From Task Scheduler, review the IPAM tasks.
Run the Get-IpamConfiguration cmdlet.
Correct Answer: A
Section: (none)
Explanation
QUESTION 27
* You have a server named DC2 that runs Windows Server 2012. DC2 contains a DNS zone named
adatum.com.
The adatum.com zone is shown in the exhibit. (Click the Exhibit button.)
You need to configure DNS clients to perform DNSSEC validation for the adatum.com DNS domain.
A.
B.
C.
D.
The Network Location settings

A Name Resolution Policy
The DNS Client settings
The Network Connection settings
Correct Answer: B
Section: (none)
Explanation
DNSSEC validation
A recursive DNS server uses the DNSKEY resource record to validate responses from the authoritative DNS
server by decrypting digital signatures contained in DNSSEC-related resource records and then computing and
comparing hash values. If hash values are the same, it provides a reply to the DNS client with the DNS data it
requested (such as an A record). If hash values are not the same, it replies with a SERVFAIL message.
Additionally, if the DNS client is DNSSEC-aware, the recursive DNS server will indicate that DNSSEC validation
was performed, which can be required by the client.
QUESTION 28
* Your network contains an Active Directory forest named contoso.com. All servers run Windows Server 2012.
The domain contains four servers. The servers are configured as shown in the following table.
You need to deploy IP Address Management (IPAM) to manage DNS and DHCP.
On which server should you install IPAM?
A. DC1
B. DC2
C. DC3
D. Server1
Correct Answer: D
Section: (none)
Explanation
QUESTION 29
* Your network contains an Active Directory domain named contoso.com. The domain contains a main office
and a branch office. An Active Directory site exists for each office.
The domain contains two servers named Server1 and Server2 that run Windows Server 2012.
Both servers have the DHCP Server server role installed. Server1 is located in the main office site. Server2 is
located in the branch office site.
Server1 provides IPv4 addresses to the client computers in the main office site. Server2 provides IPv4
addresses to the client computers in the branch office site.
You need to ensure that if either Server1 or Server2 are offline, the client computers can still obtain IPv4
addresses.
The solution must meet the following requirements:
The storage location of the DHCP databases must not be a single point of failure. Server1 must provide IPv4
addresses to the client computers in the branch office site only if Server2 is offline.
Server2 must provide IPv4 addresses to the client computers in the main office site only if Server1 is offline.
Which configuration should you use?
A.
B.
C.
D.
load sharing mode failover partners

A failover cluster
hot standby mode failover partners
A Network Load Balancing (NLB) cluster
Correct Answer: C
Section: (none)
Explanation
Hot standby mode of operation is best suited to deployments where a central office or data center server acts
as a standby backup server to a server at a remote site, which is local to the DHCP clients (ex: hub and spoke
deployment). In such deployments, it is undesirable to have a remote standby server service any clients unless
the local DHCP server becomes unavailable.
http://blogs.technet.com/b/teamdhcp/archive/2012/09/03/dhcp-failover-hot-standby-mode.aspx
QUESTION 30
*
You have a server named Server1.
You install the IPAM feature on Server1. You need to procide a user named User1 with the ability to set the
access scopre of all the DHCP servers that are managed by IPAM. The solution must use the principle of least
privileges. Which user role should you assign to User1 ?
A.
B.
C.
D.
IPAM Administrator Role

IPAM DHCP Administrator Role
IPAM ASM Administrator Role
DNS REcord Administrator Role
Correct Answer: B
Section: (none)
Explanation
IPAM Administrators: IPAM administrators can view all IPAM data and manage all IPAM features.
IPAM ASM Administrators: IPAM address space management (ASM) administrators can manage IP address
blocks, ranges, and addresses.
IPAM IP Audit Administrators: IPAM IP audit administrators can view IP address tracking data.
IPAM MSM Administrators: IPAM multi-server management (MSM) administrators can manage DNS and
DHCP servers.
IPAM Users: IPAM users can view information in IPAM, but cannot manage IPAM features or view IP address
tracking data.
QUESTION 31
Your network contains two AD forest named contoso.com and corp.contoso.com
User1 is a member of the DnsAdmins domain local group in contoso.com
User1 attemps to create conditional forwarder to corp.contoso.com but receive an error shown in the exhibit.
You need to configure bi-directional name resolution between the two forests. What should you do first ?
Exhibit:
A.
B.
C.
D.
Enable the Advanced view from DNS Manager.

Add User1 to the DnsUpdateProxy group.
Run the New Delegation Wizard.
Configure the zone to be Active Directory-integrated.
Correct Answer: D
Section: (none)
Explanation
QUESTION 32
Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. The
domain contains three domain controllers. The domain controllers are configured as shown in the following
table.
You plan to test an Application on a server named Server1. Server1 is currently located in Site1.
After the test, Server1 will be moved to Site2.
You need to ensure that Server1 attempts to authenticate to DC3 first, while you test the Application.
What should you do?
A.
B.
C.
D.
Create a new site and associate the site to an existing site link object.
Modify the priority of site-specific service location (SRV) DNS records for Site2.
Create a new subnet object and associate the subnet object to an existing site.
Modify the weight of site-specific service location (SRV) DNS records Site1.
Correct Answer: B
Section: (none)
Explanation
QUESTION 33
You have a server named Server1 that runs Windows Server 2012. Server1 has the DNS Server server role
installed.
You need to store the contents of all the DNS queries received by Server1.
A. Logging from Windows Firewall with Advanced Security
B. Debug logging from DNS Manager
C. A Data Collector Set (DCS) from Performance Monitor
D. Monitoring from DNS Manager

Correct Answer: B
Section: (none)
Explanation
You can use DNS Manager to selectively enable additional debug logging options for temporary trace logging
to a text-based file of DNS server activity. The file that is created and used for this feature, Dns.log, is stored in
the %systemroot%\System32\Dns folder.
Using debug logging options slows DNS server performance. For this reason, all debug logging options are
disabled by default.
QUESTION 34
Your network contains an Active Directory domain named contoso.com. The domain contains two DHCP
servers named DHCP1 and DHCP2 that run Windows Server 2012.
You install the IP Address Management (IPAM) Server feature on a member server named Server1 and you
run the Run Invoke-IpamGpoProvisioning cmdlet.
You need to manage the DHCP servers by using IPAM on Server1.
Which three actions should you perform?
To answer, move the three appropriate actions from the list of actions to the answer area and arrange them in
the correct order.
Select and Place:
Correct Answer:
Section: (none)
Explanation
After auto-discovering or manually adding servers to the server inventory, you must choose whether or not they
will be managed by the IPAM server.
QUESTION 35
You have a server named Server1 that runs Windows Server 2012. Server1 is located in the perimeter network
and has the DNS Server role installed. Server1 has a zone named contoso.com. You apply a security template
to Server1. After you apply the template, users report that they can no longer resolve names from contoso.com.
On Server1, you open DNS Manager as shown in the DNS exhibit.
On Server1, you open Windows Firewall with Advanced Security as shown in the Firewall exhibit.
You need to ensure that users can resolve contoso.com names. What should you do?
DNS Manager (exhibit):
Windows Firewall with Advanced Security (exhibit):
A. From Windows Firewall with Advanced Security, disable the DNS (TCP, Incoming) rule and the DNS (UDP,
Incoming) rule.
B. From DNS Manager, modify the Zone Transfers settings of the contoso.com zone.
C. From Windows Firewall with Advanced Security, modify the profiles of the DNS (TCP, Incoming) rule and
the DNS (UDP, Incoming) rule.
D. From DNS Manager, modify the Start of Authority (SOA) of the contoso.com zone.
Correct Answer: C
Section: (none)
Explanation
QUESTION 36
You are employed as a senior network administrator at contoso.com.Contoso.com has a single Active Directory
Domain named contoso.com. All servers on the contoso.com network have windows server 2012 installed.
You are running a training exercise for junior network administrator. You are currently discussing the
Dnslint.exe tool.
Which of the following should this tool be used for? (Choose all that apply)
A. To help diagnose common DNS name resolution issues
B. For developing scripts for configuring a DNS server
C. To administer the DNS server Service.
D. To look for specific DNS record set and sure that they are consistent across multiple DNS servers.
E. To verify that DNS records used specifically for Active Directory replication are correct
F. To Create and delete zones and resource records.
Correct Answer: ADE
Section: (none)
Explanation
One of the best DNS tools a Windows admin can use is DNSLint.
While nslookup is ok for quick DNS lookups, DNSLint is like the swiss army knife of DNS troubleshooting.
This tool shipped with the Support Tools on the Windows Server 2003 CD and has been available for download
from the download center on www.microsoft.com for a few years.
http://support.microsoft.com/kb/321045/
http://blogs.msdn.com/b/tim_rains/archive/2004/12/15/316137.aspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;329982
QUESTION 37
You have a server named Server1 that runs Windows Server 2012. Server1 has the DNS Server server role
installed.
You need to configure Server1 to resolve queries for single-label DNS names.
Which two actions should you perform? (Each correct answer presents part of the solution.Choose two.)
A.
B.
C.
D.
E.
F.
Run the Set-DNSServerGlobalNameZone cmdlet.

Modify the DNS suffix search list setting.
Modify the Primary DNS Suffix Devolution setting.
Create a zone named ".".
Create a zone named GlobalNames.
Run the Set-DNSServerRootHint cmdlet.
Correct Answer: AE
Section: (none)
Explanation
While Domain Name System (DNS) is the predominant name-resolution technology in TCP/IP networks,
Windows Internet Name Service (WINS) is deployed in many networks as an alternative name-resolution
protocol.
To help organizations migrate to DNS for all name resolution, the DNS Server role in Windows Server 2008
supports a special GlobalNames Zone (GNZ) feature. The GNZ feature is designed to enable DNS resolution of
these single-label, static, global names. You can deploy a GNZ in a single forest or across multiple forests.
The GNZ is not a new type of zone, but it is distinguished by its reserved name. The name GlobalNames
indicates to the DNS Server service running on Windows Server 2008 that the zone is to be used for singlename resolution. Because it is not a different zone type, it is created and managed much the same as any
forward lookup zone, except that normally the only resource records that it contains are the usual start of
authority (SOA) and name server (NS) resource records, plus an alias (CNAME) resource record for each
single-label name to be resolved by the zone. Also, the GNZ should not be configured to allow dynamic updates
to prevent host (A or AAAA) records from being inadvertently registered in the zone.
QUESTION 38
Your network contains an Active Directory domain named contoso.com. The domain contains a domain
DC1 has the DNS Server server role installed.
The network contains client computers that run either Linux, Windows 7, or Windows 8.
You have a standard primary zone named adatum.com as shown in the exhibit. (Click the Exhibit button.)
You plan to configure Name Protection on all of the DHCP servers.
You need to configure the adatum.com zone to support Name Protection.
Which two configurations should you perform from DNS Manager? (Each correct answer presents part of the
Exhibit:
A.
B.
C.
D.
Sign the zone.

Store the zone in Active Directory.
Modify the Security settings of the zone.
Configure Dynamic updates.
Correct Answer: BD
Section: (none)
Explanation
QUESTION 39
You have a DHCP server named Server1. Server1 has an IP address 192.168.1.2 is located on a subnet that
has a network ID of 192.168.1.0/24.
On Server1, you create the scopes shown in the following table.
You need to ensure that Server1 can assign IP addresses from both scopes to the DHCP clients on the local
subnet.
What should you create on Server1?
A.
B.
C.
D.
A scope
A superscope
A split-scope
A multicast scope
Correct Answer: B
Section: (none)
Explanation
QUESTION 40
Your network contains an Active Directory domain named contoso.com. The domain contains a domain
On DC1, you open DNS Manager as shown in the exhibit. (Click the Exhibit button.)
You need to change the replication scope of the contoso.com zone.
What should you do before you change the replication scope?
Exhibit:
A.
B.
C.
D.
Modify the Zone Transfers settings.

Add DC1 to the Name Servers list.
Add your user account to the Security settings of the zone.
Unsign the zone.
Correct Answer: D
Section: (none)
Explanation
Windows Server 2012 introduces support for DNSSEC online signing, which enables signing and unsigning of
Active Directory (AD)-integrated zones and support for dynamic updates. A Windows Server 2012 DNS server
includes a DNSSEC wizard in DNS Manager, which walks an administrator through the signing and
unsigning process.
The wizard generates all keys necessary to sign a zone automatically as part of the process of signing the
zone.
Unsigning a Zone
If there are errors in the signing or TA distribution process, or if the zone was signed experimentally and is
being reverted, the administrator will need to unsign the zone. This can be done by launching the DNSSEC UI
from with the DNS Management console on the key master (or remotely on another server connected to the
KM), and selecting the option to Unsign the zone.
Lock icon signifies that the Zone has been signed. Changes to the zone are blocked when signed
http://www.microsoft.com/en-us/download/dlx/ThankYou.aspx?id=29018
QUESTION 41
* Your network contains an Active Directory domain named contoso.com. The domain contains an IP Address
Management (IPAM) server that uses a Windows Internal Database.
You install a Microsoft SQL Server 2012 instance on a new server.

You need to migrate the IPAM database to the SQL Server instance.
Which cmdlet should you run?
A.
B.
C.
D.
Disable-IpamCapability
Set-IpamConfiguration
Update-IpamServer
Move-IpamDatabase
Correct Answer: D
Section: (none)
Explanation
QUESTION 42
* You are employed as a network admin ABC.com
ABC.com has an AD domain named ABC.com All servers on the ABC network have Windows 2012 R2
installed. ABC.com has a server named Server1 which is configured as a DHCP server.
You have created a superscope on server1.
Which of the following describes reason for creating a superscore ? (Choose all that apply).
A.
B.
C.
D.
To support DHCP clients on a single physical network segment where multiple logical ip networks are used.
To allow for the sending of network traffict to a group of endpoints destination hosts.
To support remote DHCP clients located on the far side of DHCP and BOOTP relay agents
To provide fault tolerance
Correct Answer: AC
Section: (none)
Explanation
A superscope is an administrative feature of Dynamic Host Configuration Protocol (DHCP) servers running
Windows Server 2008 that you can create and manage by using the DHCP Microsoft Management Console
(MMC) snap-in. By using a superscope, you can group multiple scopes as a single administrative entity. With
this feature, a DHCP server can:
1. Support DHCP clients on a single physical network segment (such as a single Ethernet LAN segment) where
multiple logical IP networks are used. When more than one logical IP network is used on each physical subnet
or network, such configurations are often called multinets.
2. Support remote DHCP clients located on the far side of DHCP and BOOTP relay agents (where the network
on the far side of the relay agent uses multinets).
QUESTION 43
installed. ABC.com You are running a training exercices for junior admin. You are currenly discussing DHCP
failover architecture. You have informed the trainees that DHCP servers can be deployed as fail over partners
in either hot standby mode or load sharing mode. Which of the following is TRUE with regards to hot standby
mode ? (Choose all that apply)
A. It is when two servers function in a fail over relationship where an active server is responsible for leasing IP
address and configuration data to all clients in a scope or subnet.
B. It when two servers in a fail over relationship server IP addresses and options to clients on a given subnet at
the same time
C. It is best suited to deployments where a data center server acts as a standby backup server to a server at a
remote site
D. It is best suited deployements where both servers in a fail over relationship are located at the same physical
site
Correct Answer: AC
Section: (none)
Explanation
QUESTION 44
* You have a server named Server1.
You install the IP Address Management (IPAM) Server feature on Server1.
You need to provide a user named User1 with the ability to set the access scope of all the DHCP servers that
are managed by IPAM. The solution must use the principle of least privilege.
Which user role should you assign to User1?
A.
B.
C.
D.
DNS Record Administrator Role

IPAM DHCP Reservations Administrator Role
IPAM Administrator Role
IPAM DHCP Administrator Role (This has the amount of privileges)
Correct Answer: D
Section: (none)
Explanation
IPAM Administrator has the most privileges.

The question is also known to have the following selections available:
A. IPAM ASM Administrator Role
B. IPAM Administrator Role
C. IPAM DHCP Reservations Administrator Role
D. IPAM MSM Administrator Role
D would be the correct answer in this situation as it has the LEAST privileges while also being able to manage
the access scopes of ALL DHCP servers.
The reason B is incorrect is because there are too many privileges given with IPAM Administrator
The reason C is incorrect is because DHCP Reservations Administrator only allows the management of DHCP
Reservations, not the DHCP scopes.
Had IPAM DHCP Scope Administrator been an available choice then that answer would be correct.
QUESTION 45
* Your network contains an Active Directory domain named contoso.com. The domain contains two DHCP
servers named Server1 and Server2. Both servers have multiple IPv4 scopes.
Server1 and Server2 are used to assign IP addresses for the network IDs of 172.20.0.0/16 and 131.107.0.0/16.
You install the IP Address Management (IPAM) Server feature on a server named IPAM1 and configure IPAM1
to manage Server1 and Server2.

Some users from the 172.20.0.0 network report that they occasionally receive an IP address conflict error
message.
You need to identify whether any scopes in the 172.20.0.0 network ID conflict with one another.
What Windows PowerShell cmdlet should you run?
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 46
Server3 that runs Windows Server 2012 R2 and has the DHCP Server server role installed.
Scope1, Scope2, and Scope3 are configured to assign the IP addresses of two DNS servers to DHCP clients.
The remaining scopes are NOT configured to assign IP addresses of DNS servers to DHCP clients.
You need to ensure that only Scope1, Scope3, and Scope5 assign the IP addresses of the DNS servers to the
DHCP clients. The solution must minimize administrative effort.
What should you do?
A.
B.
C.
D.
Create a superscope and scope-level policies.

Configure the Scope Options.
Create a superscope and a filter.
Configure the Server Options.
Correct Answer: B
Section: (none)
Explanation
Scope options are specific to scopes - Server options are for the entire server.
Scope options are more specific than Server options and therefore receive precedence. If a reservation had
options configured that would take precedence over all other options as that would be the most specific. Think
inheritance. Server -> Scope -> Reservation with reservation being the most specific.
QUESTION 47
Server1 that runs Windows Server 2012 R2 and has the DHCP Server server role installed. Server1 has an
IPv6 scope named Scope1.
You implement an additional DHCP server named Server2 that runs Windows Server 2012 R2.
You need to provide high availability for Scope1. The solution must minimize administrative effort.
What should you do?
A.
B.
C.
D.
Install and configure Network Load Balancing (NLB) on Server1 and Server2.
Create a scope on Server2.
Configure DHCP failover on Server1.
Install and configure Failover Clustering on Server1 and Server2.
Correct Answer: C
Section: (none)
Explanation
http://blogs.technet.com/b/canitpro/archive/2013/07/10/step-by-step-dhcp-high-availability-with-windows-server2012-r2.aspx
Configure DHCP failover on the server that created the scope. In this case Server1 created Scope1 therefore
DHCP Failover should be configured on Server1
QUESTION 48
* Your network contains an Active Directory forest named contoso.com.
Users frequently access the website of an external partner company. The URL of the website is http://
partners.adatum.com.
The partner company informs you that it will perform maintenance on its Web server and that the IP addresses
of the Web server will change.

After the change is complete, the users on your internal network report that they fail to access the website.
However, some users who work from home report that they can access the website.
You need to ensure that your DNS servers can resolve partners.adatum.com to the correct IP address
immediately.
What should you do?
A.
B.
C.
D.
Run dnscmd and specify the CacheLockingPercent parameter.

Run Set-DnsServerGlobalQueryBlockList.
Run ipconfig and specify the Renew parameter.
Run Set-DnsServerCache.
Correct Answer: D
Section: (none)
Explanation
Run Set-DnsServerCache with the -LockingPercent switch. dnscmd technically works also.
QUESTION 49
controller named DC1 and a member server named Server1. All servers run Windows Server 2012 R2.
You install the IP Address Management (IPAM) Server feature on Server1.
From the Provision IPAM wizard, you select the Group Policy Based provisioning method and enter a GPO
name prefix of IPAM1.
You need to provision IPAM by using Group Policy.
What command should you run on Server1 to complete the process?
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 50
* Your network contains an Active Directory domain named contoso.com. The domain contains a DNS server
named Server1. Server1 is configured to resolve single-label names for DNS clients.
You need to view the number of queries for single-label names that are resolved by Server1.
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 51
servers named Server1 and Server2.
You install the DHCP Server server role on Server1 and Server2. You install the IP Address Management
(IPAM) Server feature on Server1.
You notice that you cannot discover Server1 or Server2 in IPAM.
You need to ensure that you can use IPAM to discover the DHCP infrastructure.
A.
B.
C.
D.
E.
On Server2, create an IPv4 scope.

On Server1, run the Add-IpamServerInventory cmdlet.
On Server2, run the Add-DhcpServerInDc cmdlet
On both Server1 and Server2, run the Add-DhcpServerv4Policy cmdlet.
On Server1, uninstall the DHCP Server server role
Correct Answer: CE
Section: (none)
Explanation
Add-DhcpServerInDC
Adds the computer running the DHCP server service to the list of authorized Dynamic Host Configuration
Protocol (DHCP) server services in Active Directory (AD).
IPAM should not be installed on a DHCP server.
IPAM must be installed on a domain member computer. You cannot install IPAM on a domain
controller. If IPAM is installed on the same server with DHCP, then DHCP server discovery will be
disabled.
QUESTION 52
* Your network contains an Active Directory domain named contoso.com. The domain contains a member
server named Server1. Server1 has the IP Address Management (IPAM) Server feature installed.
A technician performs maintenance on Server1.
After the maintenance is complete, you discover that you cannot connect to the IPAM server on Server1.
You open the Services console as shown in the exhibit. (Click the Exhibit button.)
A.
B.
C.
D.
Windows Process Activation Service

windows Event Collector
Windows Internal Database
Windows Store Service (WSService)
Correct Answer: C
Section: (none)
Explanation
QUESTION 53
*Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows
Server 2012 R2.
The network has the physical sites and TCP/IP subnets configured as shown in the following table.
You have a web application named App1 that is hosted on six separate Web servers. DNS has the host names
and IP addresses registered as shown in the following table.
You discover that when users connect to appl.contoso.com, they are connected frequently to a server that is
not on their local subnet.
You need to ensure that when the users connect to appl.contoso.com, they connect to a server on their local
subnet. The connections must be distributed across the servers that host appl.contoso.com on their subnet.
Which two settings should you configure?
To answer, select the appropriate two settings in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 54
named Server1 and Server2. All servers run Windows Server 2012 R2.
You install the DHCP Server server role on both servers.
On Server1, you have the DHCP scope configured as shown in the exhibit. (Click the Exhibit button.)
You need to configure the scope to be load-balanced across Server1 and Server2.
What Windows PowerShell cmdlet should you run on Server1?
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 55
* Your company has two offices. The offices are located in Seattle and Montreal.
The network contains an Active Directory domain named contoso.com. The domain contains two DHCP
servers named Server1 and Server2. Server1 is located in the Seattle office. Server2 is located in the Montreal
office. All servers run Windows Server 2012 R2.
You need to create a DHCP scope for video conferencing in the Montreal office. The scope must be configured
Which Windows PowerShell cmdlet should you run?

A.
B.
C.
D.
Add-DchpServerv4SuperScope
Add-DchpServerv4MulticastScope
Add-DHCPServerv4Policy
Add-DchpServerv4Scope
Correct Answer: B
Section: (none)
Explanation
QUESTION 56
You install the IP Address Management (IPAM) Server feature on a server named Server1 and select Manual
as the provisioning method.
The IPAM database is located on a server named SQL1.
You need to configure IPAM to use Group Policy Based provisioning.
What command should you run first?
Hot Area:
Correct Answer:
Section: (none)
Explanation
The provisioning method cannot be changed without first uninstalling IPAM.
In order to change from Manual provisioning to GPO provisioning the IPAM feature must first be uninstalled
then reinstalled.
QUESTION 57
* You have a server named DNS1 that runs Windows Server 2012 R2.
You discover that the DNS resolution is slow when users try to access the company intranet home page by
using the URL http://companyhome.
You need to provide single-label name resolution for CompanyHome that is not dependent on the suffix search
order.
Which three cmdlets should you run? (Each correct answer presents part of the solution.
Choose three.)
A.
B.
C.
D.
E.
F.
Add-DnsServerPrimaryZone
Add-DnsServerResourceRecordCName
Set-DnsServerDsSetting
Set-DnsServerGlobalNameZone
Set-DnsServerEDns
Add-DnsServerDirectory Partition
Correct Answer: ABD

Section: (none)
Explanation
Configure the AD infrastructure

QUESTION 1
All domain controllers run Windows Server 2012. The domain contains two domain controllers.
The domain controllers are configured as shown in the following table.
DC1 hosts an Active Directory-integrated zone for contoso.com.

You add the DNS Server server role to DC2.
You discover that the contoso.com DNS zone fails to replicate to DC2.
You verify that the domain, schema, and configuration naming contexts replicate from DC1 to DC2.
You need to ensure that DC2 replicates the contoso.com zone by using Active Directory replication.
A.
B.
C.
D.
Active Directory Sites and Services

Ntdsutil
DNS Manager
Active Directory Domains and Trusts
Correct Answer: A
Section: (none)
Explanation
To control replication between two sites, you can use the Active Directory Sites and Services snap-in to
configure settings on the site link object to which the sites are added. By configuring settings on a site link, you
can control when replication occurs between two or more sites, and how often.
NOTE: If you see question about AD Replication, First preference is AD Sites and Services, then Repadmin
and then DNSLINT.
QUESTION 2
All domain controllers run Windows Server 2012. The domain contains two domain controllers. The domain
controllers are configured as shown in the following table.

A.
B.
C.
D.
Dnslint
A DNS Manager
Active Directory Users and Computers
Dnscmd
Correct Answer: A
Section: (none)
Explanation
One of the best DNS tools a Windows admin can use is DNSLint.
While nslookup is ok for quick DNS lookups, DNSLint is like the swiss army knife of DNS troubleshooting.
This tool shipped with the Support Tools on the Windows Server 2003 CD and has been available for download
from the download center on www.microsoft.com for a few years.
http://support.microsoft.com/kb/321045/
http://blogs.msdn.com/b/tim_rains/archive/2004/12/15/316137.aspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;329982
QUESTION 3

A.
B.
C.
D.
Ntdsutil
Repadmin
Active Directory users and Computers
Correct Answer: B
Section: (none)
Explanation
To control replication between two sites, you can use the Active Directory Sites and Services snap-in to
configure settings on the site link object to which the sites are added. By configuring settings on a site link, you
can control when replication occurs between two or more sites, and how often.
NOTE: If you see question about AD Replication, First preference is AD Sites and Services, then Repadmin
and then DNSLINT.
QUESTION 4

A.
B.
C.
D.
Ntdsutil
DNS Manager
Active Directory Domains ans trusts
Correct Answer: B
Section: (none)
Explanation
Explanation: You can manually initiate replication using DNS Manager. Note: You can use DNS Manager, the
DNS snap-in in Microsoft Management Console (MMC), to manage the local Domain Name System (DNS)
server as well as remote DNS servers. Using DNS Manager or a command line, you can start, stop, or pause a
DNS server. You can also pause and restart individual zones that are hosted by the server.
Incorrect:
Not A: Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory Domain
Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the ntdsutil
commands to perform database maintenance of AD DS, manage and control single master operations, and
remove metadata left behind by domain controllers that were removed from the network without being properly
uninstalled. This tool is intended for use by experienced administrators.
QUESTION 5
* Your network contains an Active Directory domain named adatum.com. The domain contains a domain
On DC1, you open DNS Manager as shown in the exhibit. (Click the Exhibit button.)
You need to change the zone type of the contoso.com zone from an Active Directory- integrated zone to a
standard primary zone.
What should you do before you change the zone type?
A.
B.
C.
D.
Unsign the zone.

Modify the Zone Signing Key (ZSK).
Modify the Key Signing Key (KSK).
Change the Key Master.
Correct Answer: A
Section: (none)
Explanation
Unsigning a Zone
If there are errors in the signing or TA distribution process, or if the zone was signed experimentally and is
being reverted, the administrator will need to unsign the zone. This can be done by launching the DNSSEC UI
from with the DNS Management console on the key master (or remotely on another server connected to the
KM), and selecting the option to Unsign the zone
http://download.microsoft.com/download/E/0/9/E09647CF-90B7-41A8-82B7-762B5507598F/
Understand_and_Troubleshoot_DNSSEC_in_Windows_Server_8_Beta.docx
QUESTION 6
* Your network contains two Active Directory forests named contoso.com and adatum.com. All of the domain
controllers in both of the forests run Windows Server 2012. The adatum.com domain contains a file server
named Server5.
Adatum.com has a one-way forest trust to contoso.com.
A contoso.com user name User10 attempts to access a shared folder on Servers and receives the error
message shown in the exhibit. (Click the Exhibit button.)
You verify that the Authenticated Users group has Read permissions to the Data folder.
You need to ensure that User10 can read the contents of the Data folder on Server5 in the adatum.com
domain.
What should you do?

A.
B.
C.
D.
Grant the Other Organization group Read permissions to the Data folder.
Modify the list of logon workstations of the contoso\User10 user account.
Enable the Netlogon Service (NP-In) firewall rule on Server5.
Modify the permissions on the Server5 computer object in Active Directory.
Correct Answer: D
Section: (none)
Explanation
To resolve this open up AD Users and Computers > Advanced Features > select the computer object >
Properties > Security > Add group (eg trustedDomain\Domain users) > allow "Allowed to Authenticate"
QUESTION 7
* Your network contains an Active Directory forest. The forest contains two domains named contoso.com and
fabrikam.com. The functional level of the forest is Windows Server 2003.
The contoso.com domain contains domain controllers that run either Windows Server 2008 or Windows Server
2008 R2. The functional level of the domain is Windows Server 2008.
The fabrikam.com domain contains domain controllers that run either Windows Server 2003 or Windows
Server 2008. The functional level of the domain is Windows Server 2003.
The contoso.com domain contains a member server named Server1 that runs Windows Server 2012.
You install the Active Directory Domain Services server role on Server1.
You need to add Server1 as a new domain controller in the contoso.com domain.
What should you do?
A.
B.
C.
D.
Run the Active Directory Domain Services Configuration Wizard.

Run adprep.exe /domainprep, and then run dcpromo.exe.
Raise the functional level of the forest, and then run dcprorno.exe.
Modify the Computer Name/Domain Changes properties.
Correct Answer: A
Section: (none)
Explanation
The Active Directory Domain Services Configuration Wizard
Beginning with Windows Server 2012, the Active Directory Domain Services Configuration Wizard replaces the
legacy Active Directory Domain Services Installation Wizard as the user interface (UI) option to specify settings
when you install a domain controller. The Active Directory Domain Services Configuration Wizard begins after
Add Roles Wizard is finished.
The legacy Active Directory Domain Services Installation Wizard (dcpromo.exe) is deprecated beginning with
Functional level features and requirements
Windows Server 2012 requires a Windows Server 2003 forest functional level. That is, before you can add a
domain controller that runs Windows Server 2012 to an existing Active Directory forest, the forest functional
level must be Windows Server 2003 or higher. This means that domain controllers that run Windows Server
2008 R2, Windows Server 2008, or Windows Server 2003 can operate in the same forest, but domain
controllers that run Windows 2000 Server are not supported and will block installation of a domain controller
that runs Windows Server 2012. If the forest contains domain controllers running Windows Server 2003 or later
but the forest functional level is still Windows 2000, the installation is also blocked.
Windows 2000 domain controllers must be removed prior to adding Windows Server 2012 domain controllers
to your forest.
From Windows Server 2008 R2 to Windows Server 2012:
The Windows Server 2012 forest functional level does not provide any new features, but it ensures that any
new domain created in the forest will automatically operate at the Windows Server 2012 domain functional
level.
The Windows Server 2012 domain functional level does not provide other new features beyond KDC support
for claims, compound authentication, and Kerberos armoring. But it ensures that any domain controller in the
domain runs Windows Server 2012.
http://technet.microsoft.com/en-us/library/hh994618.aspx#BKMK_FunctionalLevels
QUESTION 8
fabrikam.com. The forest functional level is Windows 2000.
The contoso.com domain contains domain controllers that run either Windows Server 2008 or Windows Server
2008 R2. The domain functional level is Windows Server 2008.
The fabrikam.com domain contains domain controllers that run either Windows 2000 Server or Windows
Server 2003. The domain functional level is Windows 2000 native.
The contoso.com domain contains a member server named Server1 that runs Windows Server 2012.
You need to add Server1 as a new domain controller in the contoso.com domain.
A.
B.
C.
D.
E.
Raise the functional level of the contoso.com domain to Windows Server 2008 R2.
Upgrade the domain controllers that run Windows Server 2008 to Windows Server 2008 R2.
Raise the functional level of the fabrikam.com domain to Windows Server 2003.
Decommission the domain controllers that run Windows 2000.
Raise the forest functional level to Windows Server 2003.
Correct Answer: D
Section: (none)
Explanation
Functional level features and requirements
Windows Server 2012 requires a Windows Server 2003 forest functional level. That is, before you can add a
domain controller that runs Windows Server 2012 to an existing Active Directory forest, the forest functional
level must be Windows Server 2003 or higher. This means that domain controllers that run Windows Server
2008 R2, Windows Server 2008, or Windows Server 2003 can operate in the same forest, but domain
controllers that run Windows 2000 Server are not supported and will block installation of a domain controller
that runs Windows Server 2012. If the forest contains domain controllers running Windows Server 2003 or later
but the forest functional level is still Windows 2000, the installation is also blocked.
Windows 2000 domain controllers must be removed prior to adding Windows Server 2012 domain
controllers to your forest.
From Windows Server 2008 R2 to Windows Server 2012:
The Windows Server 2012 forest functional level does not provide any new features, but it ensures that any
new domain created in the forest will automatically operate at the Windows Server 2012 domain functional
level.
The Windows Server 2012 domain functional level does not provide other new features beyond KDC support
for claims, compound authentication, and Kerberos armoring. But it ensures that any domain controller in the
domain runs Windows Server 2012.
http://technet.microsoft.com/en-us/library/hh994618.aspx#BKMK_FunctionalLevels
QUESTION 9
* Your network contains an Active Directory domain named adatum.com. The domain contains two domain
controllers that run Windows Server 2012. The domain controllers are configured as shown in the following
table.
You log on to DC1 by using a user account that is a member of the Domain Admins group, and then you create
a new user account named User1.
You need to prepopulate the password for User1 on DC2.
A.
B.
C.
D.
Connect to DC2 from Active Directory Users and Computers.

Add DC2 to the Allowed RODC Password Replication Policy group.
Add the User1 account to the Allowed RODC Password Replication Policy group.
Run Active Directory Users and Computers as a member of the Enterprise Admins group.
Correct Answer: C
Section: (none)
Explanation
When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain
controller that will be its replication partner.

The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be
permitted to cache a password.
After the RODC receives an authenticated user or computer logon request, it refers to the Password
Replication Policy to determine if the password for the account should be cached.
The same account can then perform subsequent logons more efficiently.
Clearing cached passwords
There is no mechanism to erase passwords after they are cached on an RODC. If you want to clear a
password that is stored on an RODC, an administrator should reset the password in the hub site.
http://technet.microsoft.com/en-us/library/cc753470(v=ws.10).aspx#BKMK_pre
QUESTION 10
* Your network contains an Active Directory domain named contoso.com. The domain contains two Active
Directory sites named Site1 and Site2.
You need to configure the replication between the sites to occur by using change notification.
Which attribute should you modify?
Hot Area:
Correct Answer:
Section: (none)
Explanation
Change notification is a mechanism by which a domain controller notifies a replication partner that it has
changes. Replication within a site occurs as a response to changes; as changes occur on one domain
controller, it notifies its replication partner, which prompts the partner to request the changes. When a domain
controller performs an update to an attribute, it sends notification to its replication partner within a specified time
following the change.
Active Directory replication occurs automatically and reliably with no administrative intervention, other than that
required to configure sites and site links. Some replication events, however, warrant additional understanding
for those administrators who need to fine-tune replication beyond the default behavior.
By default, changes are replicated between sites according to a schedule and not according to when changes
occur. For this reason, the greatest replication latency across the forest is the sum of the greatest replication
latencies along the single longest replication path of any directory partition.
For special circumstances, you can configure change notifications on connections between sites. By modifying
the site link object, you can enable change notification between sites for all connections that occur over that
link. Use ADSI Edit to enable change notification between sites.
QUESTION 11
* Your network contains two Active Directory forests named contoso.com and fabrikam.com. The contoso.com
forest contains two domains named corp.contoso.com and contoso.com.
You establish a two-way forest trust between contoso.com and fabrikam.com.
Users from the corp.contoso.com domain report that they cannot log on to client computers in the
fabrikam.com domain by using their corp.contoso.com user account.
When they try to log on, they receive following error message: "The computer you are signing into is protected
by an authentication firewall. The specified account is not allowed to authenticate to the computer."
Corp.contoso.com users can log on successfully to client computers in the contoso.com domain by using their
corp.contoso.com user account credentials.
You need to allow users from the corp.contoso.com domain to log on to the client computers in the
fabrikam.com forest.
What should you do?
A.
B.
C.
D.
Configure Windows Firewall with Advanced Security.

Enable SID history.
Configure forest-wide authentication.
Instruct the users to log on by using a user principal name (UPN).
Correct Answer: C
Section: (none)
Explanation
Active Directory Domains and Trusts recognizes three authentication settings that can be set on interforest
trusts: Domain-wide Authentication, Forest-wide Authentication, and Selective Authentication.
The forest-wide authentication setting permits unrestricted access by any users in the trusted forest to all
available shared resources in any of the domains in the trusting forest.

Enable forest-wide authentication over a forest trust
The forest-wide authentication setting permits unrestricted access by any users in the trusted forest to all
available shared resources in any of the domains in the trusting forest. This is the default authentication setting
for forest trusts, and it is representative of the way authentications were routed without restriction .
http://technet.microsoft.com/pt-pt/library/cc785875%28v=ws.10%29.aspx
QUESTION 12
* (F)
Your network contains an Active Directory domain named contoso.com. The domain contains a main office and
a branch office. An Active Directory site exists for each office. All domain controllers run Windows Server 2012.
The domain contains two domain controllers.
A.
B.
C.
D.
E.
F.
G.
H.
Dnscmd
Dnslint
Repadmin
Ntdsutil
DNS Manager
Correct Answer: C
Section: (none)
Explanation
If you see question about AD Replication, first preference is AD Sites and Services, then Repadmin and then
DNSLINT
QUESTION 13
* Your network contains an Active Directory domain named contoso.com. Domain controllers run either
Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012. You have a Password Settings
object (PSOs) named PSO1. You need to view the settings of PSO1. Which tool should you use?
A.
B.
C.
D.
Get-ADDomainControllerPasswordReplicationPolicy
Get-ADDefaultDomainPasswordPolicy
Server Manager
Get-ADFineGrainedPasswordPolicy
Correct Answer: D
Section: (none)
Explanation
Get-ADFineGrainedPasswordPolicy
Gets one or more Active Directory fine grained password policies.
Server Manager can also be used. (Server Manager -> Active Directory Administrative Center)
http://4sysops.com/archives/fine-grained-password-policy-in-windows-server-2012/
QUESTION 14
* Your network contains two Active Directory forests named contoso.com and adatum.com. Both forests
contain multiple domains. All domain controllers run Windows Server 2012.
Contoso.com has a one-way forest trust to adatum.com.
A domain named paris.eu.contoso.com hosts several legacy Applications that use NTLM authentication.
Users in a domain named london.europe.adatum.com report that it takes a long time to be authenticated when
they attempt to access the legacy Applications hosted in paris.eu.contoso.com.
You need to reduce how long it takes for the london.europe.adatum.com users to be authenticated in
paris.eu.contoso.com.
What should you do?
A.
B.
C.
D.
Create a shortcut trust.

Create an external trust between the forest root domains.
Disable SID filtering on the existing trust.
Create an external trust.
Correct Answer: A
Section: (none)
Explanation
Shortcut trusts are one-way or two-way, transitive trusts that can be used when administrators need to optimize
the authentication process.
Authentication requests must first travel a trust path between domain trees, and in a complex forest this can
take time, which can be reduced with shortcut trusts.
QUESTION 15
* Your network contains two Active Directory forests named contoso.com and litwareinc.com. A two-way forest
trusts exists between the forest. Selective authentication is enabled on the trust.
The contoso.com forest contains a server named Server1.
You need to ensure that users in litwareinc.com can access resources on Server1.
What should you do?
A. Install Active Directory Rights Management Services on a domain controller in contoso.com.
B. Modify the permission on the Server1 computer account.
C. Install Active Directory Rights Management Services on a domain controller in litwareinc.com.
D. Configure SID filtering on the trust.

Correct Answer: B
Section: (none)
Explanation
QUESTION 16
* Your network contains an Active Directory forest named contoso.com. The forest contains a single domain.
The forest contains three Active Directory sites named SiteA, SiteB, and SiteC. The sites contain four domain
controllers. The domain controllers are configured as shown in the following table.
An IP site link exits between each site.
You discover that the users in SiteC are authenticated by the domain controllers in SiteA and SiteB.
You need to ensure that the SiteC users are authenticated by the domain controllers in SiteB, unless all of the
domain controllers in SiteB are unavailable.
What should you do?
A.
B.
C.
D.
Create a site link bridge.

Create additional connection objects for DC3 and DC4.
Increase the cost of the site link between SiteA and SiteC.
Correct Answer: D
Section: (none)
Explanation
Explanation:
http://technet.microsoft.com/en-us/library/dd277430.aspx#XSLTsection126121120120
QUESTION 17
The forest contains three Active Directory sites named SiteA, SiteB, and SiteC.
The sites contain four domain controllers. The domain controllers are configured as shown in the following
table.
You discover that the users in SiteC are authenticated by the domain controllers in SiteA and SiteB.
You need to ensure that the SiteC users are authenticated by the domain controllers in SiteB, unless all of the
domain controllers in SiteB are unavailable.
What should you do?
A.
B.
C.
D.

Decrease the cost of the site link between SiteB and SiteC.
Create a site link bridge.
Disable site link bridging.
Correct Answer: B
Section: (none)
Explanation
Explanation:
http://technet.microsoft.com/en-us/library/dd277430.aspx#XSLTsection126121120120
QUESTION 18
The domain contains three domain controllers. The domain controllers are configured as shown in the following
table.
You discover that when you run Group Policy Results from Group Policy Management, the settings from sitelinked Group Policy objects (GPOs) fail to appear in the results.
You need to ensure that the settings from site-linked GPOs appear in the results.
A.
B.
C.
D.
Run adprep on DC3 by using Windows Server 2012 installation media.

Transfer the infrastructure master role to DC3.
Upgrade DC2 to Windows Server 2012.
Run adprep on DC1 by using Windows Server 2003 installation media.
Correct Answer: A
Section: (none)
Explanation
In this scenario a Windows 2012 server has been added to a Windows 2003 network.
Before adding your new Windows 2012 Domain Controller, or attempting to perform an in-place upgrade of an
existing Windows 2008 or 2008 R2 DC, you must make sure that the Schema is upgraded to support your new
Windows 2012 DC, and that you prepare each domain where you plan to install Windows 2012 DCs. To do this
we can use the ADPREP.exe tool found in the support\adprep folder on your installation media.
Starting with Windows 2012 there is only one version of ADPREP available, and that is a 64-bit version.
Adprep is the utility included in the OS installation media that performs several crucial functions to upgrade AD
to support that OS. The utility has three major options: /forestprep, /domainprep, and /rodcprep. The /forestprep
option runs first, extending the AD schema with new object and attribute classes that the new AD version
needs. The /domainprep option creates new well-known objects in AD, App1ies security changes, and
miscellaneous other bits. Finally, /rodcprep makes forest-wide security changes to allow read-only domain
controller (RODC) functionality. The Windows Server 2012 version of adprep.exe can run on any server that
runs a 64-bit version of Windows Server 2008 or later.
http://blogs.technet.com/b/canitpro/archive/2013/05/05/step-by-step-adding-a-windows-server-2012-domaincontroller-to-an-existing-windows-2003-network.aspx
QUESTION 19
* Your network contains an Active Directory forest. The forest contains a single domain named contoso.com.
The forest contains two Active Directory sites named Main and Branch1. The sites connect to each other by
using a site link named Main-Branch1. There are no other site links.
Each site contains several domain controllers. All domain controllers run Windows Server 2012.
Your company plans to open a new branch site named Branch2. The new site will have a WAN link that
connects to the Main site only. The site will contain two domain controllers that run Windows Server 2012.
You need to create a new site and a new site link for Branch2. The solution must ensure that the domain
controllers in Branch2 only replicate to the domain controllers in Branch1 if all of the domain controllers in Main
are unavailable.
Which three actions should you perform?
To answer, move the three appropriate actions from the list of actions to the answer area and arrange them in
the correct order.
Select and Place:
Correct Answer:
Section: (none)
Explanation
Create a new site object named Branch2
Create a new site link object named Main-Branch2
Disable Site Link Bridging
QUESTION 20
* Your network contains an Active Directory forest named contoso.com that contains a single domain. The
forest contains three sites named Site1, Site2, and Site3.
Domain controllers run either Windows Server 2008 R2 or Windows Server 2012. Each site contains two
domain controllers. Site1 and Site2 contain a global catalog server.
You need to create a new site link between Site1 and Site2. The solution must ensure that the site link supports
the replication of all the naming contexts.
From which node should you create the site link?
Hot Area:
Correct Answer:
Section: (none)
Explanation
To create a site link
Open Active Directory Sites and Services.
In the console tree, right-click the intersite transport protocol that you want the site link to use.
Where?
(Active Directory Sites and Services\Sites\Inter-Site Transports\IP or SMTP [select transport protocol])
Click New Site Link .
In Name , type the name for the site link.
In Sites not in this site link , click a site to add to the site link, and then click Add . Repeat to add more sites to
the site link. To remove a site from the site link, in Sites in this link , click the site, and then click Remove .
When you have added the sites that you want to be connected by this site link, click OK .
QUESTION 21
* (BD) or (AD)
Your network contains an Active Directory forest named contoso.com. The forest contains two domains named
contoso.com and child1.contoso.com. The domains contain three domain controllers.
The domain controllers are configured as shown in the following table.
You need to ensure that the KDC support for claims, compound authentication, and kerberos armoring setting
is enforced in the child1.contoso.com domain.
A.
B.
C.
D.
E.

Raise the domain functional level of child1.contoso.com.
Raise the domain functional level of contoso.com.
Raise the forest functional level of contoso.com.
Correct Answer: BC
Section: (none)
Explanation
If you want to create access control based on claims and compound authentication, you need to deploy
Dynamic Access Control. This requires that you upgrade to Kerberos clients and use the KDC, which support
these new authorization types. With Windows Server 2012, you do not have to wait until all the domain
controllers and the domain functional level are upgraded to take advantage of new access control options.
The infrastructure required to implement claims-based authorization in Active Directory includes at least one
Windows Server 2012 DC in the domain where the user resides that will use this feature, one or more Windows
Server 2012 DCs in each domain that will implement claims to another forest, and a Windows 8 client (for
device claims). There's no requirement for forest functional level -- that is, no need to raise the forest functional
level to Windows Server 2012.
http://redmondmag.com/Articles/2013/08/01/Implement-the-New-Windows-Server-2012-DAC.aspx?Page=1
QUESTION 22
* Your company recently deployed a new Active Directory forest named contoso.com. The forest contains two
Active Directory sites named Site1 and Site2. The first domain controller in the forest runs Windows Server
2012.
You need to force the replication of the SYSVOL folder from Site1 to Site2.
A.
B.
C.
D.

DFS Management
Repadmin
Dfsrdiag
Correct Answer: D
Section: (none)
Explanation
Explanation:
D. In Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008, you can force replication
immediately by using DFS Management, as described in Edit Replication Schedules. You can also force
replication by using the Dfsrdiag SyncNow command. You can force polling by using the Dfsrdiag PollAD
command. http://technet.microsoft.com/en-us/library/cc773238(v=ws.10).aspx#BKMK_072
QUESTION 23
You have a domain outside the forest named litwareinc.com.
You need to configure an access solution to meet the following requirements:
Users in litwareinc.com must be able to access resources on a server named Server1 in contoso.com.
Users in the contoso.com forest must be prevented from accessing any resources in litwareinc.com.
Users in litwareinc.com must be prevented from accessing any other resources in the contoso.com forest.
A.
B.
C.
D.
E.
F.
Configure SID filtering on the trust.

Configure forest-wide authentication on the trust.
Create a one-way forest trust.
Create a one-way external trust
Modify the permission on the Server1 object.
Configure selective authentication on the trust.
Correct Answer: DEF

Section: (none)
Explanation
litwareinc.com is outside the forest so we need an external trust (not a forest trust).
Must grant the required permissions on Server1. For external trust we must either select Domain-Wide or
Selective Authentication (forst-wide authentication is not an option)
Note:
* You can create an external trust to form a one-way or two-way, nontransitive trust with domains that are
outside your forest. External trusts are sometimes necessary when users need access to resources in a
Windows NT 4.0 domain or in a domain that is located in a separate forest that is not joined by a forest trust. /
To select the scope of authentication for users that are authenticating through a forest trust, click the forest
trust that you want to administer, and then click Properties . On the Authentication tab, click either Forest-wide
authentication or Selective authentication . / To select the scope of authentication for users that are
authenticating through an external trust, click the external trust that you want to administer, and then click
Properties . On the Authentication tab, click either Domain-wide authentication or Selective authentication .
* The forest-wide authentication setting permits unrestricted access by any users in the trusted forest to all
available shared resources in any of the domains in the trusting forest.
* Forest-wide authentication is generally recommended for users within the same organization.
Reference: Select the Scope of Authentication for Users
QUESTION 24
* Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows
Server 2012. The domain contains two domain controllers. The domain controllers are configured as shown in
the following table.
The Branch site contains a perimeter network.

For security reasons, client computers in the perimeter network can communicate with client computers in the
Branch site only.
You plan to deploy a new RODC to the perimeter network in the Branch site.
You need to ensure that the new RODC will be able to replicate from DC10.
What should you do first on DC10?
A.
B.
C.
D.
Run the Add-ADDSReadOnlyDomainControllerAccount cmdlet.

Run dcpromo and specify the /createdaccount parameter
Run the Active Directory Domain Services Configuration Wizard
Enable the Bridge all site links setting
Correct Answer: A
Section: (none)
Explanation
Add-ADDSReadOnlyDomainControllerAccount
Creates a read-only domain controller (RODC) account that can be used to install an RODC in Active
Directory.
QUESTION 25
You configure a user named User1 as a delegated administrator of DC10.

You need to ensure that User1 can log on to DC10 if the network link between the Main site and the Branch site
fails.
What should you do?
A.
B.
C.
D.
Add User1 to the Domain Admins group.

Modify the properties of the DC10 computer account.
Run repadmin and specify /replsingleobject parameter.
On DC10, modify the User Rights Assignment in Default Domain Controllers Policy Objects (GPO).
Correct Answer: D
Section: (none)
Explanation
Modify the following policy:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log
on locally
Note:
* User Rights Assignment policies determines which users or groups have logon rights or privileges on the
computer.
* Delegated administrator accounts gain local administrative permissions to the RODC. These users can
operate with privileges equivalent to the local computer's Administrators group. They are not members of the
Domain Admins or the domain built-in Administrators groups. This option is useful for delegating branch office
administration without giving out domain administrative permissions. Configuring delegation of administration is
not required.
PRP - Password Replication Policy

QUESTION 26

fails.
What should you do?
A.
B.
C.
D.
Add User1 to the Domain Admin group.

Modify the properties of the DC10 computer account.
On DC10, modify the User Rights Assignment in Local Policies.
Correct Answer: D
Section: (none)
Explanation
Explanation: Modify the following policy:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log
on locally
Note:
* User Rights Assignment policies determines which users or groups have logon rights or privileges on the
computer.
* Delegated administrator accounts gain local administrative permissions to the RODC. These users can
operate with privileges equivalent to the local computer's Administrators group. They are not members of the
Domain Admins or the domain built-in Administrators groups. This option is useful for delegating branch office
administration without giving out domain administrative permissions. Configuring delegation of administration is
not required.
QUESTION 27

fails.
What should you do?
A.
B.
C.
D.
On DC10, run ntdsutil and configure the settings in the Roles context.
On DC10, run ntdsutil and configure the settings in the Local Roles context.
Modify the properties of the DC1O computer account.
Correct Answer: B
Section: (none)
Explanation
Use the ntdsutil local roles command or the dsmgmt local roles command. You can use this command to
view, add, or remove members from the Administrators group and other built-in groups on the RODC
Manages Administrator Role Separation for a read-only domain controller (RODC). Administrator role
separation provides a nonadministrative user with the permissions to install and administer an RODC, without
granting that user permissions to do any other type of domain administration.
This command is a subcommand of Ntdsutil and Dsmgmt.
http://www.gatepoint.ch/cmdreferenz/html/aee69f2f-49bf-49cb-ac0b-eccc26423b1f.htm
PS.
You can manage the RODC local roles mapping directly by using the following registry entry on the RODC:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RODCROLES
-------------------Replicate a single object between two domain controllers

The repadmin /replsingleobj command replicates a single object between any two domain controllers that
have partitions in common. The two domain controllers do not require a replication agreement between them.
Replication agreements can be shown by using the repadmin /showreps command.
-------------------http://technet.microsoft.com/en-us/library/aee69f2f-49bf-49cb-ac0b-eccc26423b1f
QUESTION 28
The domain contains three domain controllers. The domain controllers are configured as shown in the following
table.
You plan to test an Application on a server named Server 1. Server1 is currently located in Site1.
After the test, Server1 will be moved to Site2.

You need to ensure that Server1 attempts to authenticate to DC3 first, while you test the Application.
What should you do?
A.
B.
C.
D.
Modify the priority of site-specific service location (SRV) DNS records for Site2.
Create a new subnet object and associate the subnet object to an existing site.
Create a new site and associate the site to an existing site link object.
Modify the registry on DC3.
Correct Answer: A
Section: (none)
Explanation
QUESTION 29
The forest functional level is Windows Server 2012.
You have a domain controller named DC1.
On DC1, you create a new Group Policy object (GPO) named GPO1.
You need to verify that GPO1 was replicated to all of the domain controllers.
A.
B.
C.
D.
Group Policy Management

DFS Management
Active Directory Administrative Center
Correct Answer: A
Section: (none)
Explanation
In Windows Server 2012, the Group Policy Management Console (GPMC) was enhanced to provide a report
for the overall health state of the Group Policy infrastructure for a domain, or to scope the health view to a
single GPO.
The GPMC domain status tab (added in Windows Server 2012) displays individual pieces of information that
indicate the health of the Group Policy infrastructure with regards to domain controllers, GPO replication, and
GPO versioning. This Group Policy infrastructure health status can help you find inconsistencies and anticipate
issues.
QUESTION 30
* Your network contains an Active Directory domain named contoso.com. The domain contains domain
controllers run either Windows Server 2003, Windows Server 2008 R2, or Windows Server 2012.
You plan to implement a new Active Directory forest. The new forest will be used for testing and will be isolated
from the production network.
In the test network, you deploy a server named Server1 that runs Windows Server 2012.
You need to configure Server1 as a new domain controller in a new forest named contoso.test.
The solution must meet the following requirements:
The functional level of the forest and of the domain must be the same as that of contoso.com.
Server1 must provide name resolution services for contoso.test.
What should you do?
To answer, configure the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Very smartly reworded that you need to configure server 1 as new DC in a new forest named contoso.test and
"also do name resolution". In the answer you will have to select Windows 2003 as domain and forest functional
level and you should also check "Domain name system(DNS) server.... This is not in any dumps
In Windows Server 2003 Active Directory, domain controllers can run different versions of Windows Server
operating systems. The Active Directory functional level of a domain or forest depends on which versions of
Windows Server operating systems are running on the domain controllers in the domain or forest. The
functional level of a domain or forest controls which advanced features are available in the domain or forest.
Ideally, all servers in an organization could run the latest version of Windows and take advantage of all
advanced features available with the newest software.
When you deploy a new forest, you are prompted to set the forest functional level and then set the domain
functional level. You cannot set the domain functional level to a value that is lower than the forest functional
level. You can set the domain functional level to a value that is higher than the forest functional level.
You can raise the functional level of a forest only if all domain controllers in the forest run the version or
versions of Windows Server that the new functional level supports.
When you deploy AD DS, set the domain and forest functional levels to the highest value that your environment
can support. This way, you can use as many AD DS features as possible. For example, if you are sure that you
will never add domain controllers that run Windows Server 2003 to the domain or forest, select the Windows
Server 2008 functional level during the deployment process. However, if you might retain or add domain
controllers that run Windows Server 2003, select the Windows Server 2003 functional level. When you deploy a
new forest, you are prompted to set the forest functional level and then set the domain functional level.
You cannot set the domain functional level to a value that is lower than the forest functional level.
http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28v=ws.10%
29.aspx
QUESTION 31
* Your network contains an Active Directory forest. The forest contains one domain named contoso.com. The
table.
DC1 has all of the operations master roles installed.

You transfer all of the operations master roles to DC2, and then you uninstall Active Directory from DC1.
You need to ensure that you can use Password Settings objects (PSOs) in the domain.
What should you do?
A.
B.
C.
D.
Change the domain functional level.

Upgrade DC2.
Run the dcgpofix.exe command.
Transfer the schema master role.
Correct Answer: A
Section: (none)
Explanation
The Windows Server 2008 operating system provides organizations with a way to define different password and
account lockout policies for different sets of users in a domain
The domain functional level must be Windows Server 2008.
QUESTION 32
* Your network contains an Active Directory forest named contoso.com. The forest contains three domains. All
domain controllers run Windows Server 2012.
The forest has a two-way realm trust to a Kerberos realm named adatum.com.
You discover that users in adatum.com can only access resources in the root domain of contoso.com.
You need to ensure that the adatum.com users can access the resources in all of the domains in the forest.
What should you do in the forest?
A.
B.
C.
D.
Delete the realm trust and create a forest trust.

Delete the realm trust and create three external trusts.
Modify the incoming realm trust.
Modify the outgoing realm trust.
Correct Answer: D
Section: (none)
Explanation
When to create a realm trust
A realm trust can be established between any non-Windows Kerberos V5 realm and a Windows Server
2003 domain.
This trust relationship allows cross-platform interoperability with security services based on other Kerberos V5
versions such as UNIX and MIT implementations .
Realm trusts can switch from nontransitive to transitive and back. Realm trusts can also be either one-way or
two-way.
QUESTION 33
* Your network contains an Active Directory domain named contoso.com. The domain contains two domain
controllers named DC1 and DC2 that run Windows Server 2012.
DC1 and DC2 fail to replicate Active Directory information.
You confirm that DC1 and DC2 have network connectivity.
The NTDS Settings of DC2 are configured as shown in the NTDS Settings exhibit. (Click tie Exhibit button.)
DNS is configured as shown in the DNS exhibit. (Click the Exhibit button.)
You need to ensure that DC1 and DC2 can replicate immediately.
NTDS Settings (exhibit):
DNS (exhibit):
A.
B.
C.
D.
E.
F.
From DC1, restart the Netlogon service.

From DC2, run nltest.exe /sync.
From DC1, run ipconfig /flushdns.
From DC1, run repadmin /syncall.
From DC2, run ipconfig /registerdns.
From DC2, restart the Netlogon service.
Correct Answer: DE
Section: (none)
Explanation
The DC2 name/alias is not available in DNS. First we register the DC2 name from DC with the ipcpnfig /
registerdns.
Then we synchronizes a specified domain controller DC1 (DC2 would also work) with all of its replication
partners with repadmin /syncall.
QUESTION 34
* You are employed as a senior network administrator at ABC.com. ABC.com has an Active Directory domain
named ABC.com. All servers on the ABC.com network have windows server 2012 installed. The ABC.com
domain has an Active Directory site configured in London,and an Active Directory site in New york. You have
been instructed to make sure that the synchronization of account lockout data happens quicker.
A.
B.
C.
D.
You should consider editing the options attribute from WANLINK properties
You should consider editing the options attribute from LANLIK properties
You should consider editing the options attribute from the DEFAULTSITELINK properties
You should consider editing the proxyAddressess attribute from the DEFAULTIPSITELINK properties.
Correct Answer: C
Section: (none)
Explanation
Change notification is a mechanism by which a domain controller notifies a replication partner that it has
changes. Replication within a site occurs as a response to changes; as changes occur on one domain
controller, it notifies its replication partner, which prompts the partner to request the changes. When a domain
controller performs an update to an attribute, it sends notification to its replication partner within a specified time
following the change.
By default, changes are replicated between sites according to a schedule and not according to when changes
occur. For this reason, the greatest replication latency across the forest is the sum of the greatest replication
latencies along the single longest replication path of any directory partition.
For special circumstances, you can configure change notifications on connections between sites. By modifying
the site link object, you can enable change notification between sites for all connections that occur over that
link. Use ADSI Edit to enable change notification between sites.
QUESTION 35
* Your company recently deployed a new Active Directory forest named contoso.com. The first domain
controller in the forest runs Windows Server 2012.
You need to identify the time-to-live (TTL) value for domain referrals to the NETLOGON and SYSVOL shared
folders.
A.
B.
C.
D.
Ultrasound
Replmon
Dfsdiag
Frsutil
Correct Answer: C
Section: (none)
Explanation
QUESTION 36
You have a domain outside the forest named adatum.com.
Users in adatum.com must be able to access resources in contoso.com. Users in adatum.com must be
prevented from accessing resources in fabrikam.com.
Users in both contoso.com and fabrikam.com must be prevented from accessing resources in adatum.com.
What should you create?
A.
B.
C.
D.
a one-way external trust from adatum.com to fabrikam.com

a one-way realm trust from fabrikam.com to adatum.com
a one-way realm trust from adatum.com to fabrikam.com
a one-way external trust from contoso.com to adatum.com
Correct Answer: D
Section: (none)
Explanation
NOTE: On exam the domain names were changed, so understand the question well.
Communication between domains occurs through trusts . Trusts are authentication pipelines that must be
present in order for users in one domain to access resources in another domain.
A one-way trust is a unidirectional authentication path that is created between two domains. This means that in
a one-way trust between Domain A and Domain B, users in Domain A can access resources in Domain B.
However, users in Domain B cannot access resources in Domain A. This would allow adatum.com users
access to contoso.com which is desired.
One-way trust
A one-way trust is a unidirectional authentication path created between two domains. This means that in a oneway trust between Domain A and Domain B, users in Domain A (trusted domain) can access resources in
Domain B (trusting domain). However, users in Domain B cannot access resources in Domain A. Some oneway trusts can be a nontransitive trust or a transitive trust depending on the type of trust being created.
QUESTION 37
You have a domain outside the forest named adatum.com.
Users in adatum.com must be able to access resources in contoso.com.
Users in adatum.com must be prevented from accessing resources in fabrikam.com.
Users in both contoso.com and fabrikam.com must be prevented from accessing resources in adatum.com.
What should you create?
A.
B.
C.
D.
a one-way realm trust from contoso.com to adatum.com

a one-way realm trust from adatum.com to contoso.com
a one-way external trust from contoso.com to adatum.com
a one-way external trust from adatum.com to contoso.com
Correct Answer: C
Section: (none)
Explanation
Create a one-way, outgoing, external trust for one side of the trust
A one-way, outgoing, external trust will allow resources in your domain (the domain that you are logged on to at
the time that you run the New Trust Wizard) to be accessed by users in a different Active Directory domain
(outside your forest).
QUESTION 38
* Your company has offices in Montreal, New York, and Amsterdam.
The network contains an Active Directory forest named contoso.com. An Active Directory site exists for each
office. All of the sites connect to each other by using the DEFAULTIPSITELINK site link.
You need to ensure that only between 20:00 and 08:00, the domain controllers in the Montreal office replicate
the Active Directory changes to the domain controllers in the Amsterdam office.
The solution must ensure that the domain controllers in the Montreal and the New York offices can replicate the
Active Directory changes any time of day.
What should you do?
A. Create a new site link that contains Montreal and Amsterdam. Remove Amsterdam from
DEFAULTIPSITELINK. Modify the schedule of DEFAULTIPSITELINK.
B. Create a new site link that contains Montreal and Amsterdam. Create a new site link bridge. Modify the
schedule of DEFAULTIPSITELINK.
C. Create a new site link that contains Montreal and Amsterdam. Remove Amsterdam from
DEFAULTIPSITELINK. Modify the schedule of the new site link.

D. Create a new site link that contains Montreal and Amsterdam. Create a new site link bridge. Modify the
schedule of the new site link.
Correct Answer: C
Section: (none)
Explanation
In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In
Windows Server 2008 and Windows Server 2008 R2, the directory service is named Active Directory Domain
Services (AD DS).
Default Site Link
When you install Active Directory on the first domain controller in the forest, an object named
DEFAULTIPSITELINK is created in the Sites container (in the IP container within the Inter-Site Transports
container). This site link contains only one site, Default-First-Site-Name.
INFO: Very Smartly reworded with same 3 offices. In the exam correct answer is "Create a new site link
that contains Newyork to Montreal. Remove Montreal from DEFAULTIPSITELINK.Modify the schedule
of the new site link".
QUESTION 39
* Your network contains an Active Directory forest named adatum.com. The forest contains a single domain.
The domain contains four servers. The servers are configured as shown in the following table.
You need to update the schema to support a domain controller that will run Windows Server 2012.
On which server should you run adprep.exe?
A.
B.
C.
D.
Server1
DC3
DC2
DC1
Correct Answer: B
Section: (none)
Explanation
DC3 is the only server that could be assumed to be 64bit, Windows Server 2008 R2 Minimum: 1.4 GHz 64-bit
processor
http://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx#BKMK_WS2012
QUESTION 40
* network contains two Active Directory forests named contoso.com and adatum.com.
Contoso.com contains one domain. Adatum.com contains a child domain named child.adatum.com.
Contoso.com has a one-way forest trust to adatum.com. Selective authentication is enabled on the forest trust.
Several user accounts are migrated from child.adatum.com to adatum.com.
Users report that after the migration, they fail to access resources in contoso.com. The users successfully
accessed the resources in contoso.com before the accounts were migrated.
You need to ensure that the migrated users can access the resources in contoso.com.
What should you do?
A.
B.
C.
D.
Replace the existing forest trust with an external trust.

Run netdom and specify the /quarantine attribute.
Disable SID filtering on the existing forest trust.
Disable selective authentication on the existing forest trust.
Correct Answer: C
Section: (none)
Explanation
Need to grant access to the resources in contoso.com
Selective authentication over a forest trust restricts access to only those users in a trusted forest who have
been explicitly given authentication permissions to computer objects (resource computers) that reside in the
trusting forest
SID Filtering
SID filtering is set on all trusts to prevent malicious users who have domain or enterprise administrator level
access in a trusted forest from granting (to themselves or other user accounts in their forest) elevated user
rights to a trusting forest. It does this by preventing misuse of the attributes containing SIDs on security
principals (including inetOrgPerson) in the trusted forest. One common example of an attribute that contains a
SID is the SID history attribute (sIDHistory) on a user account object. The SID history attribute is typically used
by domain administrators to seamlessly migrate the user and group accounts that are held by a security
principal from one domain to another.
When security principals are created in a domain, the domain SID is included in the SID of the principal to
identify the domain in which it was created. The domain SID is important because the Windows security
subsystem uses it to verify the identity of the security principal, which in turn determines what resources in the
domain the principal can access.
How SID History is used to migrate accounts
Domain administrators can simplify account migration by using the SID history attribute to migrate permissions,
either automatically by using the Active Directory Migration Tool (ADMT) or manually by adding SIDs from an
old user or group account to the SID history attribute of the new, migrated account. With either method, the new
account retains the same level of permissions or access to resources as the old account. If domain
administrators could not use the SID history attribute in this way, they would have to determine and reapply
permissions on each network resource to which the old account had access.
QUESTION 41
* (A)
Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows
The Branch site contains a member server named Server1 that runs Windows Server 2012.
You need to identify which domain controller authenticated the computer account of Server1.
What should you do?
A.
B.
C.
D.
Verify the value of the %LOGONSERVER% environment variable.

Run nltest /sc_query.
Verify the value of the %SESSIONNAME% environment variable.
Run nltest /dsgetsite.
Correct Answer: B
Section: (none)
Explanation
When referencing this variable %LOGONSERVER%, be aware that it is not updated, so may not show where
the secure channel is currently with.
So, you may log on and find that the initial logon is against DC2. However, at some point during the session, the
secure channel may be established with DC1. However, the logonserver variable will not be updated to show
this.
Therefore, nltest /sc_query: is far more reliable.
QUESTION 42
* Your network contains an Active Directory forest named contoso.com. The contoso.com domain only contains
domain controllers that run Windows Server 2012.
The forest contains a child domain named child.contoso.com. The child.contoso.com domain only contains
domain controllers that run Windows Server 2008 R2. The child.contoso.com domain contains a member
server named Server1 that runs Windows Server 2012.
You have access to four administrative user accounts in the forest. The administrative user accounts are
configured as shown in the following table.
You need to ensure that you can add a domain controller that runs Windows Server 2012 to the
child.contoso.com domain.
Which account should you use to run adprep.exe?
A.
B.
C.
D.
Admin1
Admin2
Admin3
Admin4
Correct Answer: C
Section: (none)
Explanation
http://technet.microsoft.com/en-us/library/4fff7ac7-b90f-41d0-8c87-9ffe08dc6c01#BKMK_Creds
QUESTION 43
* Your network contains an Active Directory forest. The forest contains one domain named adatum.com. The
table.
DC2 has all of the domain-wide operations master roles. DC3 has all of the forest-wide operation master roles.
You need to ensure that you can use Password Settings objects (PSOs) in the domain.
A.
B.
C.
D.
Uninstall Active Directory from DC1.

Change the domain functional level.
Transfer the domain-wide operations master roles.
Transfer the forest-wide operations master roles.
Correct Answer: A
Section: (none)
Explanation
Domain functional level: The domain functional level must be set to Windows Server 2008 or higher.
QUESTION 44
The Branch site contains a perimeter network.

For security reasons, client computers in the perimeter network can communicate with client computers in the
Branch site only.
You plan to deploy a new RODC to the perimeter network in the Branch site.
You need to ensure that the new RODC will be able to replicate from DC10.
What should you do first on DC10?
A.
B.
C.
D.
Enable the Bridge all site links setting.

Run the Active Directory Domain Services Configuration Wizard.
Create an Active Directory site link bridge.
Create an Active Directory site.
Correct Answer: C
Section: (none)
Explanation
QUESTION 45
Your network contains an Active Directory domain named contoso.com. The domain contains a main office and
a branch office. An Active Directory site exists for each office.

A.
B.
C.
D.
Repadmin
Dnscmd
Dnslint
DNS Manager
Correct Answer: D
Section: (none)
Explanation
Explanation:
You can manually initiate DNS replication using DNS Manager. Note: You can use DNS Manager, the DNS
snap-in in Microsoft Management Console (MMC), to manage the local Domain Name System (DNS) server as
well as remote DNS servers. Using DNS Manager or a command line, you can start, stop, or pause a DNS
server. You can also pause and restart individual zones that are hosted by the server.
Incorrect:
Not A: Repadmin.exe helps administrators diagnose Active Directory replication problems between domain
controllers running Microsoft Windows operating systems.
QUESTION 46
Your network contains an Active Directory domain named contoso.com. The domain contains two Active
Directory sites named Site1 and Site2.
You discover that when the account of a user in Site1 is locked out, the user can still log on to the servers in
Site2 for up to 15 minutes by using Remote Desktop Services (RDS).
You need to reduce the amount of time it takes to synchronize account lockout information across the domain.
Which attribute should you modify?
To answer, select the appropriate attribute in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
'Normal" Active Directory replication occurs almost immediately between replication partners in the same site (5
seconds after the change is made). 'Normal Replication' between different sites (say Canberra and Dallas)
occurs per schedule with the smallest configurable value being 15 minutes.
Is it possible to have your changes replicate quicker than every 15 minutes between sites?
Yes. Manually speaking you can use Repadmin.exe (with the /replicate switch). Or you can use the sites and
services console (Replicate Now).
Automatically?
Also yes. You can use a feature called Inter-site Change Notification. Inter-site change notification tells the
replication engine to treat the link as if it was in the same site. That is, notify the replication partners of the
change rather than wait for the replication interval to pass (minimum of 15 minutes).
In the Edit Attribute box, if the Value(s) box shows <not set> , type 1 in the Edit Attribute box. If the Value(s) box
contains a value, you must derive the new value by using a Boolean BITWISE-OR calculation on the old value,
as follows: old_value BITWISE-OR 1. For example, if the value in the Value(s) box is 2, calculate 0010 OR
0001 to equal 0011. Type the integer value of the result in the Edit Attribute box; for this example, the value is
3.
So when should I do this?

The answer is: it depends. Start with the obvious, that is when you need replication to occur between sites
according to change notification rather than schedule (15 minutes minimum).
http://gallery.technet.microsoft.com/scriptcenter/61cb88bb-8c61-477f-834e-79ed0c153669
http://blogs.msdn.com/b/canberrapfe/archive/2012/03/26/active-directory-replication-change-notification-ampyou.aspx
QUESTION 47
Your network contains an Active Directory domain named contoso.com. The domain contains two sites named
Site1 and Site2 and two domain controllers named DC1 and DC2. Both domain controllers are located in Site1.
You install an additional domain controller named DC3 in Site1 and you ship DC3 to Site2.
A technician connects DC3 to Site2.
You discover that users in Site2 are authenticated by all three domain controllers.
You need to ensure that the users in Site2 are authenticated by DC1 or DC2 only if DC3 is unavailable.
What should you do?
A.
B.
C.
D.
From Network Connections, modify the IP address of DC3.

In Active Directory Sites and Services, modify the Query Policy of DC3.
From Active Directory Sites and Services, move DC3.
In Active Directory Users and Computers, configure the insDS-PrimaryComputer attribute for the users in
Site2.
Correct Answer: C
Section: (none)
Explanation
"You install an additional domain controller named DC3 in Site1 and you ship DC3 to Site2." - DC3 needs to be
moved to Site2 in AD DS
When an application requests access to Active Directory, a domain controller is located by a mechanism called
the Domain Controller Locator.
The process of location is to use DNS to identify a set of candidate domain controllers from a list, based on
SRV records.
Then, the servers on the list are queried to test if they are alive.
http://blogs.technet.com/b/arnaud_jumelet/archive/2010/07/05/domain-controller-locator-an-overview.aspx
http://blogs.dirteam.com/blogs/paulbergson/archive/2010/04/19/ad-clients-not-authenticating-to-its-localsite.aspx
QUESTION 48
Your network contains an Active Directory domain named adatum.com. The domain contains two sites named
Site1 and Site2 and two domain controllers named DC1 and DC2. DC1 is located in Site1 and DC2 is located in
Site2.
You install an additional domain controller named DC3 in Site1 and you ship DC3 to Site2.
A technician connects DC3 to Site2.
You discover that users in Site2 are authenticated only by DC2.
You need to ensure that the users in Site2 are authenticated by both DC2 and DC3.
What should you do?
A.
B.
C.
D.
In Active Directory Users and Computers, configure the msDS-PrimaryComputer attribute for DC3.
In Active Directory Users and Computers, configure the msDS-Site-Affinity attribute for DC3.
From Active Directory Sites and Services, move DC3.
From Active Directory Sites and Services, modify the site link between Site1 and Site2.
Correct Answer: C
Section: (none)
Explanation
"You install an additional domain controller named DC3 in Site1 and you ship DC3 to Site2." - DC3 needs to be
moved to Site2 in AD DS
When an application requests access to Active Directory, a domain controller is located by a mechanism called
the Domain Controller Locator.
The process of location is to use DNS to identify a set of candidate domain controllers from a list, based on
SRV records.
Then, the servers on the list are queried to test if they are alive.
http://blogs.technet.com/b/arnaud_jumelet/archive/2010/07/05/domain-controller-locator-an-overview.aspx
http://blogs.dirteam.com/blogs/paulbergson/archive/2010/04/19/ad-clients-not-authenticating-to-its-localsite.aspx
QUESTION 49
* Your network contains an AD forest named contoso.com All servers run Windows server 2012R2. You need
to create a custom Active Directory Application partition. Which tool should you use ?
A.
B.
C.
D.
Netdom
Ntdsutil
Dsmod
Dsamain
Correct Answer: B
Section: (none)
Explanation
QUESTION 50
* Your network contain an AD domain named Contoso.com The domain contains two servers Server1 and
Server2 that run Windows 2012 R2. You create a security template named template1 by using the security
template snap-in. You need to apply template1 to server2. Which tool shoudl you use ?
A.
B.
C.
D.
Security Configuration and Analysis

Server manager
Security Template
Computer management
Correct Answer: A
Section: (none)
Explanation
QUESTION 51
* Your network contains three Active Directory forests. The forests are configured as shown in the following
table.
A two-way forest trust exists between contoso.com and division1.contoso.com. A two-way forest trust also
exists between contoso.com and division2.contoso.com.
You plan to create a one-way forest trust from division1.contoso.com to division2.contoso.com.
You need to ensure that any cross-forest authentication requests are sent to the domain controllers in the
appropriate forest after the trust is created.
How should you configure the existing forest trust settings?
In the table below, identify which configuration must be performed in each forest. Make only one selection in
each column. Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Exclude the opposite division from the name suffix routing entry.
http://blogs.technet.com/b/askds/archive/2009/04/10/name-suffix-routing.aspx
Configure Identity and Access solutions

QUESTION 1
* Your network contains two Active Directory forests named contoso.com and adatum.com. A two-way forest
trust exists between the forests.
The contoso.com forest contains an enterprise certification authority (CA) named Server1.
You implement cross-forest certificate enrollment between the contoso.com forest and the adatum.com forest.
On Server1, you create a new certificate template named Template1.
You need to ensure that users in the adatum.com forest can request certificates that are based on Template1.
A.
B.
C.
D.
E.
DumpADO.ps1
Repadmin
Add-CATemplate
Certutil
PKISync.ps1
Correct Answer: E
Section: (none)
Explanation
Starting with Windows Server 2008 R2, you can utilize Certificate Enrollment Web Services to provide
certificates across forests that do not require forest trust relationships. What's New in Active Directory
Certificate Services
http://technet.microsoft.com/en-us/library/ff955845%28v=ws.10%29.aspx#BKMK_Consolidating
http://technet.microsoft.com/en-us/library/7ed98c32-66a6-4846-a784-1f0e350896d4%28v=ws.10%
29#BKMK_SavePKISync
QUESTION 2
* You have a server named Server1 that has the Active Directory Certificate Services server role installed.
Server1 uses a hardware security module (HSM) to protect the private key of Server1.
You need to ensure that the Active Directory Certificate Services (AD CS) database, log files, and private key
are backed up.
You perform regular backups of the HSM module by using a backup utility provided by the HSM manufacturer.
What else should you do?
A.
B.
C.
D.
Run the certutil.exe command and specify the -backupkey parameter.

Run the certutil.exe command and specify the -backupdb parameter.
Run the certutil.exe command and specify the -backup parameter.
Run the certutil.exe command and specify the -dump parameter.
Correct Answer: B
Section: (none)
Explanation
When designing a public key infrastructure (PKI) for your organization, you must develop an effective disaster
recovery plan to ensure that, in the event of failure of the computer hosting Certificate Services, you can
recover in a timely manner with little effect on your organization.
Certutil.exe is a command-line program that is installed as part of Certificate Services.

You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure
Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate
chains.
The service should be stopped to prevent issuance of additional certificates. If certificates are issued by the
source CA after a database backup is completed, repeat the CA database backup procedure to ensure the
database backup contains all issued certificates.
backup the database and log files for ADCS, you must log on to CA as administrator and open command
prompt:
certutil -backupDB KeepLog
NOTE: If a hardware security module (HSM) is used by the CA, back up the private keys by following
procedures provided by the HSM vendor.
http://technet.microsoft.com/pt-pt/library/ee126140%28v=ws.10%29.aspx
QUESTION 3
* (B)
Your network contains an Active Directory domain named contoso.com. The domain contains a server named
Server1 that runs Windows Server 2012. The system properties of Server1 are shown in the exhibit. (Click the
Exhibit button.)
You need to configure Server1 as an enterprise subordinate certification authority (CA).
Exhibit:
A.
B.
C.
D.
Add RAM to the server.

Set the Startup Type of the Certificate Propagation service to Automatic.
Install the Certification Authority Web Enrollment role service.
Join Server1 to the contoso.com domain.
Correct Answer: D
Section: (none)
Explanation
A new CA can be the root CA of a new PKI or subordinate to another in an existing PKI.
Enterprise subordinate certification authority
An enterprise subordinate CA must get a CA certificate from an enterprise root CA but can then issue
certificates to all users and computers in the enterprise. These types of CAs are often used for load balancing
of an enterprise root CA.
Enterprise CAs can be used to issue certificates to support such services as digital signatures, Secure
Multipurpose Internet Mail Extensions (S/MIME) secure mail, Secure Sockets Layer (SSL) or Transport Layer
Security (TLS) secured web access and smart card authentication. Enterprise CAsare used to provide
certificate services to internal users who have user accounts in the domain.
Requiring Active Directory, an Enterprise subordinate CA obtains its certificate from an already existing CA.
These types of CAs are used to provide smart-card-enabled logons by Windows XP and other Windows Server
2003 machines.
After a root certification authority (CA) has been installed, many organizations will install one or more
subordinate CAs to implement policy restrictions on the public key infrastructure (PKI) and to issue certificates
to end clients. Using at least one subordinate CA can help protect the root CA from unnecessary exposure.
If a subordinate CA will be used to issue certificates to users or computers with accounts in an Active Directory
domain, installing the subordinate CA as an enterprise CA allows you to use the client's existing account data in
Active Directory Domain Services (AD DS) to issue and manage certificates and to publish certificates to AD
DS.
Membership in local Administrators, or equivalent, is the minimum required to complete this procedure. If this
will be an enterprise CA, membership in Domain Admins, or equivalent, is the minimum required to
complete this procedure.
QUESTION 4
Server1 has the Active Directory Certificate Services server role installed and is configured as an enterprise
certification authority (CA).
You need to ensure that all of the users in the domain are issued a certificate that can be used for the following
purposes:
Email security
Client authentication
Encrypting File System (EFS)
A.
B.
C.
D.
E.
From a Group Policy, configure the Certificate Services Client Auto-Enrollment settings.
From a Group Policy, configure the Certificate Services Client Certificate Enrollment Policy settings.
Modify the properties of the User certificate template, and then publish the template.
Duplicate the User certificate template, and then publish the template.
From a Group Policy, configure the Automatic Certificate Request Settings settings.
Correct Answer: AD
Section: (none)
Explanation
A public key certificate, usually just called a certificate, is a digitally signed statement thats commonly used for
authentication and to secure information on open networks. A certificate securely binds a public key to the entity
that holds the corresponding private key. The issuing CA digitally signs the certificates, and they can be issued
for a user, a computer, or a service.
Explanation:
The default user template supports all of the requirements EXCEPT auto enroll as shown below:
However a duplicated template from users has the ability to autoenroll:
The Automatic Certificate Request Settings GPO setting is only available to Computer, not user.
QUESTION 5
Server1 that runs Windows Server 2012. Server1 has the Active Directory Federation Services (AD FS) server
role installed.
Adatum.com is a partner organization.
You are helping the administrator of adatum.com set up a federated trust between adatum.com and
contoso.com. The administrator of adatum.com asks you to provide a file containing the federation metadata of
contoso.com.
You need to identify the location of the federation metadata file.
Which node in the AD FS console should you select?

Hot Area:
Correct Answer:
Section: (none)
Explanation
Each AD FS 2.0 federation servers configured by default to publish metadata describing itself via https. If you
click on the Service\Endpoints folder in the AD FS 2.0 snap-in you can see the highlighted endpoint in question
as shown below:
To see what the actual XML looks like you can enter the endpoint into your web browser, as shown below:
http://blogs.msdn.com/b/card/archive/2010/06/25/using-federation-metadata-to-establish-a-relying-party-trustin-ad-fs-2-0.aspx
http://docs.oasis-open.org/wsfed/federation/v1.2/ws-federation.pdf
QUESTION 6
* Your network contains an Active Directory domain named contoso.com. A previous administrator
implemented a Proof of Concept installation of Active Directory Rights Management Services (AD RMS). After
the proof of concept was complete, the Active Directory Rights Management Services server role was removed.
You attempt to deploy AD RMS. During the configuration of AD RMS, you receive an error message indicating
that an existing AD RMS Service Connection Point (SCP) was found.
You need to remove the existing AD RMS SCP.
A.
B.
C.
D.
E.
F.
ADSI Edit
Services
Authorization Manager
G. TPM Management
H. Certification Authority
Correct Answer: AD
Section: (none)
Explanation
Only one SCP for AD RMS can exist in your Active Directory forest. If you try to install AD RMS and an SCP
already exists in your forest from a previous RMS installation that was not properly deprovisioned, AD RMS will
install as a subenrolled licensing-only cluster, which will not enable you to deprovision the existing RMS cluster.
The SCP must therefore be removed before you can install the new AD RMS cluster.
A SCP can be viewed using ADSI Edit or LDP. To view the SCP, connect to the configuration container in ADSI
Edit and navigate the following nodes: CN=Configuration [server name], CN=Services,
CN=RightsManagementServices, CN=SCP.
The easiest way to remove the SCP is by using the RMS Administration Console. You can also remove an SCP
by using the ADScpRegister.exe tool included in the original RMS Administration Toolkit, which you can
download from here: Microsoft Download Center: Rights Management Services Administration Toolkit with
SP2.
http://technet.microsoft.com/en-us/library/jj835767(v=ws.10).aspx
QUESTION 7
* Your network contains an Active Directory domain named adatum.com. The domain contains a server named
CA1 that runs Windows Server 2012. CA1 has the Active Directory Certificate Services server role installed and
is configured to support key archival and recovery.
You need to ensure that a user named User1 can decrypt private keys archived in the Active Directory
Certificate Services (AD CS) database. The solution must prevent User1 from retrieving the private keys from
the AD CS database.
What should you do?

A.
B.
C.
D.
Assign User1 the Issue and Manage Certificates permission to Server1.

Assign User1 the Read permission and the Write permission to all certificate templates.
Provide User1 with access to a Key Recovery Agent certificate and a private key.
Assign User1 the Manage CA permission to Server1.
Correct Answer: C
Section: (none)
Explanation
QUESTION 8
* Your network contains four Active Directory forests. Each forest contains an Active Directory Rights
Management Services (AD RMS) root cluster.
All of the users in all of the forests must be able to access protected content from any of the forests.
You need to identify the minimum number of AD RMS trusts required.
How many trusts should you identify?
A.
B.
C.
D.
3
6
12
16
Correct Answer: C
Section: (none)
Explanation
Active Directory Rights Management Services (AD RMS) is an information protection technology that works
with AD RMSenabled applications to help safeguard digital information from unauthorized use. Content
owners can define who can open, modify, print, forward, or take other actions with the information.
One organization may have multiple forests and therefore may have multiple AD RMS installations. Each AD
RMS installation may be configured to trust the other AD RMS installations in the organization by establishing
one another as trusted user domains.
"four Active Directory forests". Bi Directional means each forest needs 3 other forests TUD file. 4 x 3 = 12
QUESTION 9
* Your network contains an Active Directory forest named adatum.com. The forest contains an Active Directory
Rights Management Services (AD RMS) cluster.
A partner company has an Active Directory forest named litwareinc.com. The partner company does not have
AD RMS deployed.
You need to ensure that users in litwareinc.com can consume rights-protected content from adatum.com.
Which type of trust policy should you create?
A.
B.
C.
D.
A federated trust
A trusted user domain
A trusted publishing domain
Windows Live ID
Correct Answer: A
Section: (none)
Explanation
http://technet.microsoft.com/en-us/library/dd772651%28v=WS.10%29.aspx
QUESTION 10
Server1 that runs Windows Server 2012. Server1 has the Active Directory Federation Services server role
installed.
You need to make configuration changes to the Windows Token-based Agent role service.
To answer, select the appropriate tool in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Configure the Windows Token-Based Agent
The following procedure must be completed on the Web server so that clients in the account partner
organization can access Windows NT tokenbased applications, such as SharePoint sites, that are hosted on
the Web server in the resource partner organization.
QUESTION 11
Server1 that runs Windows Server 2012. Server1 has the Active Directory Certificate Services server role
installed and configured.
For all users, you are deploying smart cards for logon. You are using an enrollment agent to enroll the smart
card certificates for the users.
You need to configure the Contoso Smartcard Logon certificate template to support the use of the enrollment
agent.
Which setting should you modify? To answer, select the appropriate setting in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
In the drop-down under Application policy: select Certificate Request Agent.
http://technet.microsoft.com/en-us/library/hh230277%28v=ws.10%29.aspx
QUESTION 12
* Your network contains two Active Directory forests named contoso.com and adatum.com.
All domain controllers run Windows Server 2012.
A federated trust exists between adatum.com and contoso.com. The trust provides adatum.com users with
access to contoso.com resources.
You need to configure Active Directory Federation Services (AD FS) claim rules for the federated trust. The
solution must meet the following requirements:
In contoso.com, replace an incoming claim type named Group with an outgoing claim type named Role.
In adatum.com, allow users to receive their tokens for the relying party by using their Active Directory group
membership as the claim type.
The AD FS claim rules must use predefined templates.
Which rule types should you configure on each side of the federated trust?
To answer, drag the appropriate rule types to the correct location or locations. Each rule type may be used
once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:
Correct Answer:
Section: (none)
Explanation
Claim rules process incoming claims either directly from a claims provider (such as Active Directory or another
Federation Service) or from the output of the acceptance transform rules on a claims provider trust.
Issuance Authorization Rules: These rules determine whether a user can receive claims for a relying party
and, therefore, access to the relying party.
QUESTION 13
* (A) You deploy an Active Directory Federation Services (AD FS) 2.1 infrastructure. The infrastructure uses
Active Directory as the attribute store.
Some users report that they fail to authenticate to the AD FS infrastructure.
You discover that only users who run third-party web browsers experience issues.
You need to ensure that all of the users can authenticate to the AD FS infrastructure successfully.
Which Windows PowerShell command should you run?
A. Set-ADFSProperties -ProxyTrustTokenLifetime 1:00:00
B. Set-ADFSProperties -AddProxyAuthenticationRules None
C. Set-ADFSProperties -SSOLifetime 1:00:00

D. Set-ADFSProperties -ExtendedProtectionTokenCheck None
Correct Answer: D
Section: (none)
Explanation
ProxyTrustTokenLifetime: Sets the valid token lifetime for proxy trust tokens (in minutes). This value is used
by the federation server proxy to authenticate with its associated federation server. Default Value: 21600 min
SsoLifetime: Specifies the duration of the single sign-on (SSO) experience for Web browser clients (in
minutes). Default Value: 480 min
http://social.msdn.microsoft.com/Forums/vstudio/en-US/8e1ccbc4-84fd-46bd-aae5-8ca16c8349e4/adfsssolifetime-vs-token-lifetime?forum=Geneva
http://blogs.technet.com/b/askds/archive/2012/01/05/understanding-the-ad-fs-2-0-proxy.aspx
QUESTION 14
* (D)
Your network contains an Active Directory domain named contoso.com. The domain contains a server named
Server1 that runs Windows Server 2012. Server1 is an enterprise root certification authority (CA) for
contoso.com.
Your user account is assigned the certificate manager role and the auditor role on the contoso.com CA. Your
account is a member of the local Administrators group on Server1.
You enable CA role separation on Server1.
You need to ensure that you can manage the certificates on the CA.
What should you do?

A.
B.
C.
D.
Remove your user account from the local Administrators group.

Assign the CA administrator role to your user account.
Assign your user account the Bypass traverse checking user right.
Remove your user account from the Manage auditing and security log user right.
Correct Answer: A
Section: (none)
Explanation
The separation of CA roles can be enforced using role separation. Once enforced, role separation only allows a
user to be assigned a single role. If a user is assigned to more than one role and attempts to perform an
operation on the CA, the operation is denied. For this reason, before role separation is enabled, a user should
be assigned only one CA role.
It is possible for a user assigned a role to become locked out of administering a CA when role
separation is enabled if the user is also assigned to a second CA role.
If the CA Administrator is assigned to a second role, or assigns another role holder to a second role, the CA
Administrator violates the rules of role separation by allowing a user to have two roles. Once the user is
assigned to two roles, role separation will not allow that user to perform any activity on the CA, including, in the
case of the CA Administrator, the activity of removing himself from one of the roles.
To correct this configuration, the local Administrator of the server must disable role separation, remove
the CA Administrator from the second role, and then restart the Certificate Services service.
When you enable Role Separation, members of the local Administrators group, including the local Administrator
account, will not be able to back up or restore the CA, nor will they be able to enable auditing on the CA.
Because Administrators have the permission to back up and restore the CA as well as enable auditing
on the CA, the CA will not allow them to do any tasks because they are assigned multiple roles.
Once the user is assigned to two roles, role separation will not allow that user to perform any activity on the CA,
including, in the case of the CA Administrator, the activity of removing himself from one of the roles.
To correct this configuration, the local Administrator of the server must disable role separation, remove
the CA Administrator from the second role, and then restart the Certificate Services service.
The default installation setting for an enterprise CA is to have members of the local Administrators, Enterprise
Admins, and Domain Admins groups as CA administrators.
As a best practice, group accounts that have been assigned CA administrator or certificate manager roles
should not be members of the local Administrators group
CA Administrator grants "Manage CA" permission, which provides the ability to configure CA properties,
assign roles to other users, and renew CA certificates.
Certificate Manager grants "Issue and Manage Certificates" permission, which allows managing certificate
enrollment, initiating private key recovery, and Certificate Revocation List.
Backup Operator grants "Backup files and directories" and "Restore files and directories" user rights, which
allows backup and restore of certificate stores.
Auditor grants "Manage auditing and security log" user rights, which allows the configuration and viewing of
security-related events.
You must create role separation in Active Directory Certificate Services to provide greater control on Certificate
Authority. To enable Role separation, Open Elevated command prompt and type certutil -setreg ca
\RoleSeparationEnabled 1
QUESTION 15
* You are employed as a network administrator at contoso.com. Contoso.com has in an Active Directory
domain named contoso.com. All Servers on the contoso.com network have windows server 2012 installed.
A contoso.com server, named Server1, hosts the Active Directory Certificate Services Server role and utilizes a
hardware security module (HSM) to safeguard its private key.
You have been instructed to backup the Active Directory Certificate Services (ADCS) database, log files, and
private key regularly. You should not use a utility supplied by the hardware security module (HSM) creator.
Which of the following actions should you take?
A.
B.
C.
D.
You should consider scheduling an incremental backup

You Should consider making use of the certutil.exe command.
You should consider schedulling a differential backup
You should consider schedulling a copy backup
Correct Answer: B
Section: (none)
Explanation
-Backup, -backupdb, -backupKey: You can use Certutil.exe to dump and display certification authority (CA)
configuration information, configure Certificate Services, backup and restore CA components, and verify
certificates, key pairs, and certificate chains.
http://blogs.technet.com/b/pki/archive/2010/04/20/disaster-recovery-procedures-for-the-active-directorycertificate-services-adcs.aspx
QUESTION 16
2012.
The domain contains a domain controller named DC1 that is configured as an enterprise root certification
authority (CA). All users in the domain are issued a smart card and are required to log on to their domainjoined
client computer by using their smart card. A user named User1 resigned and started to work for a competing
company.
You need to prevent User1 immediately from logging on to any computer in the domain. The solution must not
prevent other users from logging on to the domain.

A.
B.
C.
D.
E.
F.
G.
H.

the Certification Authority console
the Certificates snap-in
Certificate Templates
Server Manager
the Security Configuration Wizard
Correct Answer: AC
Section: (none)
Explanation
Cached credentials do not use CRLs.
http://technet.microsoft.com/pt-pt/library/ff404285%28v=ws.10%29.aspx
QUESTION 17
Server1 that runs Windows Server 2012. Server1 has an enterprise root certification authority (CA) for
contoso.com. You deploy another member server named Server2 that runs Windows Server 2012 and has the
Web Server (IIS) server role installed.
You need to designate a website on Server1 as the certificate revocation list (CRL) distribution point for the CA.
The solution must ensure that CRLs are published automatically to Server2.
Choose two.)
A.
B.
C.
D.
E.
Create an http:// CRL distribution point (CDP) entry.

Configure a CA exit module.
Create a file:// CRL distribution point (CDP) entry
Configure an enrollment agent.
Configure a CA policy module.
Correct Answer: AE
Section: (none)
Explanation
Explanation: A: To specify CRL distribution points in issued certificates Open the Certification Authority snap-in.
In the console tree, click the name of the CA.
On the Action menu, click Properties , and then click the Extensions tab. Confirm that Select extension is set to
CRL Distribution Point (CDP) . Do one or more of the following. (The list of CRL distribution points is in the
Specify locations from which users can obtain a certificate revocation list (CRL) box.)
/ To indicate that you want to use a URL as a CRL distribution point Click the CRL distribution point, select the
Include in the CDP extension of issued certificates check box, and then click OK .
Click Yes to stop and restart Active Directory Certificate Services (AD CS).
E: You can specify CRL Distribution Points (CDPs) in CAPolicy.inf. Note that any CDP in CAPolicy.inf will take
precedence for certificate verifiers over the CDP's specified in the CA policy module.
Note:
CRLDistributionPoint
You can specify CRL Distribution Points (CDPs) for a root CA certificate in the CAPolicy.inf. This section does
not configure the CDP for the CA itself. After the CA has been installed you can configure the CDP URLs that
the CA will include in each certificate that it issues. The URLs specified in this section of the CAPolicy.inf file are
included in the root CA certificate itself.
Example:
[CRLDistributionPoint]
URL=http://pki.wingtiptoys.com/cdp/WingtipToysRootCA.crl
QUESTION 18
named Server1 and Server2 that run Windows Server 2012. The servers have the Hyper-V server role
installed.
A certification authority (CA) is available on the network.
A virtual machine named vml.contoso.com is replicated from Server1 to Server2. A virtual machine named
vm2.contoso.com is replicated from Server2 to Server1. You need to configure Hyper-V to encrypt the
replication of the virtual machines.
Which common name should you use for the certificates on each server?
To answer, configure the appropriate common name for the certificate on each server in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 19
You are a member of the local Administrators group on Server2.
You install an Active Directory Rights Management Services (AD RMS) root cluster on Server2.
You need to ensure that the AD RMS cluster is discoverable automatically by the AD RMS client computers and
the users in contoso.com.
Which additional configuration settings should you configure? To answer, select the appropriate tab in the
answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
AD RMS Client Service Discovery
QUESTION 20
* Your company has a primary data center and a disaster recovery data center.
The network contains an Active Directory domain named contoso.com. The domain contains a server named
that runs Windows Server 2012. Server1 is located in the primary data center.
Server1 has an enterprise root certification authority (CA) for contoso.com.
You deploy another server named Server2 to the disaster recovery data center.
You plan to configure Server2 as a secondary certificate revocation list (CRL) distribution point.
You need to configure Server2 as a CRL distribution point (CDP).
Which tab should you use to configure the required CDP entry? To answer, select the appropriate tab in the
answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 21
* Your network contains an Active Directory domain named contoso.com. The domain contains the two servers.
You investigate a report about the potential compromise of a private key for a certificate issued to Server2.
You need to revoke the certificate issued to Server2. The solution must ensure that the revocation can be
reverted.
Which reason code should you select?
To answer, select the appropriate reason code in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Certificates revoked with the reason code "Certificate Hold" can be unrevoked, left on "Certificate Hold" until
they expire, or have their revocation reason code changed. "Certificate Hold" is the only revocation reason that
will allow you to unrevoke the certificate. It is useful if the status of the certificate is questionable and is meant
to provide some flexibility to the CA administrator.
QUESTION 22
* (A) Your network contains an Active Directory domain named contoso.com. The domain contains two
member servers named Server1 and Server2 that run Windows Server 2012.
Server1 has Microsoft SQL Server 2012 installed.

You install the Active Directory Federation Services server role on Server2.
You need to configure Server2 as the first Active Directory Federation Services (AD FS) server in the domain.
The solution must ensure that the AD FS database is stored in a SQL Server database on Server1.
A. From the AD FS console, run the AD FS Federation Server Configuration Wizard and select the Standalone federation server option.
B. From Server Manager, install the Federation Service Proxy.
C. From Windows PowerShell, run Install-ADFSFarm.
D. From Server Manager, install the AD FS Web Agents.
Correct Answer: C
Section: (none)
Explanation
A stand-alone federation server in Servios de Federao do Active Directory (AD FS) 2.0 consists of a single
server that hosts a Federation Service configured to use the Windows Internal Database (WID). This AD FS 2.0
topology is for test labs. We do not recommend it for production environments because it has a limit of only one
federation server, and it cannot be used to scale up to more servers.
If you want to add additional federation servers to your test lab, you must rebuild the Federation Service from
scratch by deploying any of the other topologies mentioned later in this section. Therefore, we recommend that
you use this topology for a test lab or a proof-of-concept environment in your private testing network in which a
single federation server is adequate, as shown in the following illustration.
http://blogs.technet.com/b/askpfeplat/archive/2013/07/22/faq-on-adfs-part-1.aspx
PS C:\> $fscredential = Get-Credential

PS C:\> Install-AdfsFarm -CertificateThumbprint 8169c52b4ec6e77eb2ae17f028fe5da4e35c0bed FederationServiceName fs.corp.contoso.com -ServiceAccountCredential $fscredential -SQLConnectionString
"Data Source=SQLHost;Integrated Security=True"
To create the first federation server in a federation server farm

There are two ways to start the AD FS Federation Server Configuration Wizard. On the Welcome page, verify
that Create a new Federation Service is selected, and then click Next.
On the Select Stand-Alone or Farm Deployment page, click New federation server farm, and then click Next.
On the Specify the Federation Service Name page, verify that the SSL certificate that is showing is correct. If
this is not the correct certificate, select the appropriate certificate from the SSL certificate list.
Etc.
Note:
After you install the Federation Service role service and configure the required certificates on a computer, you
are ready to configure the computer to become a federation server. You can use the following procedure to set
up the computer to become the first federation server in a new federation server farm using the AD FS
Federation Server Configuration Wizard.
The act of creating the first federation server in a farm also creates a new Federation Service and makes this
computer the primary federation server. This means that this computer will be configured with a read/write copy
of the AD FS configuration database. All other federation servers in this farm must replicate any changes that
are made on the primary federation server to their read-only copies of the AD FS configuration database that
they store locally.
Reference: To create the first federation server in a federation server farm
QUESTION 23
* (D) Your network contains a server named Server1 that runs Windows Server 2012. Server1 has the Active
Directory Certificate Services server role installed and is configured as a standalone certification authority (CA).
You install a second server named Server2. You install the Online Responder role service on Server2.
You need to ensure that Server1 can issue an Online Certificate Status Protocol (OCSP) Response Signing
certificate to Server2.
What should you do?
A.
B.
C.
D.
certutil.exe -verify
certutil.exe -getkey
certreq -retreive
certreq -setreg
Correct Answer: C
Section: (none)
Explanation
QUESTION 24
* Your network contains an Active Directory domain named adatum.com. The domain contains four servers.
You plan to deploy an enterprise certification authority (CA) on a server named Server5. Server5 will be used to
issue certificates to domain-joined computers and workgroup computers.
You need to identify which server you must use as the certificate revocation list (CRL) distribution point for
Server5.
Which server should you identify?
A.
B.
C.
D.
Server3
Server2
Server4
Server1
Correct Answer: C
Section: (none)
Explanation
Certificates rely on certification authorities to maintain an updated list of revoked certificates issued by the
public key infrastructure. Certificates are revoked for a number of reasonsnot all revocations are for
compromised certificates or nefarious reasons. It is essential that when a computer is presented a revoked
certificate, that it does not honor the certificate.
The common means to inform computers of revoked certificates is by using a certificate revocation list (CRL).
Ensuring that the certificate revocation list gets to all computers can be problematic
The certificate revocation list or CRL is a primary mechanism that ensures the security and health of your PKI.
The CRL is a list of all certificates that have been issued by your PKI but have been revoked for one reason or
another. There are two types of CRLs. The first type is a full CRL; it contains all certificates revoked by the PKI.
The second type is known as a delta CRL. It contains the list of all revoked certificates since the last time a full
CRL was created. If a computer has received a full CRL, it requests a delta CRL, unless a new full CRL is
available.
It is not always possible to contact a CA or other trusted server for information about the validity of a certificate.
To effectively support certificate status checking, a client must be able to access revocation data to determine
whether the certificate is valid or has been revoked. To support a variety of scenarios, Active Directory
Certificate Services (AD CS) supports industry-standard methods of certificate revocation. These include
publication of certificate revocation lists (CRLs) and delta CRLs, which can be made available to clients from
a variety of locations, including Active Directory Domain Services (AD DS), Web servers, and network
file shares.
"domain-joined computers and workgroup computers" solution must be web

http://blogs.technet.com/b/nexthop/archive/2012/12/17/creating-a-certificate-revocation-list-distribution-pointfor-your-internal-certification-authority.aspx
QUESTION 25
* Your network contains an Active Directory domain named contoso.com. The domain contains an enterprise
certification authority (CA).
The domain contains a server named Server1 that runs Windows Server 2012.
You plan to configure Server1 as an Active Directory Federation Services (AD FS) server. The Federation
Service name will be set to adfs1.contoso.com.
You need to identify which type of certificate template you must use to request a certificate for AD FS.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Each Web server that hosts an Active Directory Federation Services (ADFS) Web Agent requires a Secure
Sockets Layer (SSL) server authentication certificate to communicate securely with Web clients.
Certificates used by AD FS-enabled Web servers
Each AD FS-enabled Web server that hosts an AD FS Web Agent uses SSL server authentication certificates
to securely communicate with Web clients. These certificates are requested and installed through the Internet
Information Services (IIS) Manager snap-in.
QUESTION 26
Your network contains an Active Directory domain named corp.contoso.com.
You deploy Active Directory Rights Management Services (AD RMS).
You have a rights policy template named Template1. Revocation is disabled for the template.
A user named User1 can open content that is protected by Template1 while the user is connected to the
corporate network.
When User1 is disconnected from the corporate network, the user cannot open the protected content even if
the user previously opened the content.
You need to ensure that the content protected by Template1 can be opened by users who are disconnected
from the corporate network.
What should you modify?
A.
B.
C.
D.
The User Rights settings of Template1

The templates file location of the AD RMS cluster
The Extended Policy settings of Template1
The exclusion policies of the AD RMS cluster
Correct Answer: C
Section: (none)
Explanation
You can add trust policies so that AD RMS can process licensing requests for content that was rights protected.
QUESTION 27
Your network contains a server named Server1 that runs Windows Server 2012. Server1 has the Active
Directory Certificate Services server role installed and is configured as a standalone certification authority (CA).
You install a second server named Server2. You install the Online Responder role service on Server2.
You need to ensure that Server1 can issue an Online Certificate Status Protocol (OCSP) Response Signing
certificate to Server2.
What should you do?
A.
B.
C.
D.
On Server1, run the certutil.exe command and specify the -setreg parameter.
On Server2, run the certutil.exe command and specify the -policy parameter.
On Server1, configure Security for the OCSP Response Signing certificate template.
On Server2, configure Issuance Requirements for the OCSP Response Signing certificate template.
Correct Answer: C
Section: (none)
Explanation
QUESTION 28
Your network contains a perimeter network and an internal network. The internal network contains an Active
Directory Federation Services (AD FS) 2.1 infrastructure. The infrastructure uses Active Directory as the
attribute store.
You plan to deploy a federation server proxy to a server named Server2 in the perimeter network.
You need to identify which value must be included in the certificate that is deployed to Server2.
What should you identify?
A.
B.
C.
D.
The FQDN of the AD FS server

The name of the Federation Service
The name of the Active Directory domain
The public IP address of Server2
Correct Answer: B
Section: (none)
Explanation
Certificate Requirements for Federation Server Proxies
QUESTION 29
Your network contains an Active Directory domain named contoso.com. The domain contains two servers
named Server1 and Server2. Both servers have the Hyper-V server role installed.
You plan to replicate virtual machines between Server1 and Server2. The replication will be encrypted by using
Secure Sockets Layer (SSL).
You need to request a certificate on Server1 to ensure that the virtual machine replication is encrypted.
Which two intended purposes should the certificate for Server1 contain? (Each correct answer presents part of
the solution. Choose two.)
A.
B.
C.
D.
E.
Client Authentication
Kernel Mode Code Signing
Server Authentication
IP Security end system
KDC Authentication
Correct Answer: AC
Section: (none)
Explanation
Hyper-V Replica Certificate Requirements
If you want to use HTTPS authentication and replication, then you will need to create certificates for the hosts/
clusters in both the primary and secondary sites. The certificate must be configured for server
authentication and client authentication. The certificate must also be issued to the FQDN of the host or HVR
Broker, and it must include the exportable private keys for traffic decryption.
http://blogs.technet.com/b/virtualization/archive/2012/03/13/hyper-v-replica-certificate-requirements.aspx
http://www.petri.co.il/use-hyper-v-replica-over-https-ssl-configure-certificates.htm
QUESTION 30
* You have an Active Directory Rights Management Services (AD RMS) cluster.
You need to prevent users from encrypting new content. The solution must ensure that the
users can continue to decrypt content that was encrypted already.
Choose two.)
A.
B.
C.
D.
E.
From the Active Directory Rights Management Services console, enable decommissioning.
From the Active Directory Rights Management Services console, create a user exclusion policy.
Modify the NTFS permissions of %systemdrive%\inetpub\wwwroot\_wmcs\licensing.
Modify the NTFS permissions of %systemdrive%\inetpub\wwwroot\_wmcs\decommission.
From the Active Directory Rights Management Services console, modify the rights policy
templates.
Correct Answer: BE
Section: (none)
Explanation
QUESTION 31
*You have a server named Server1 that runs Windows Server 2012 R2.
From Server Manager, you install the Active Directory Certificate Services server role on Server1.
A domain administrator named Admin1 logs on to Server1.
When Admin1 runs the Certification Authority console, Admin1 receive the following error message.
You need to ensure that when Admin1 opens the Certification Authority console on Server1, the error message
does not appear.
What should you do?
A.
B.
C.
D.
Install the Active Directory Certificate Services (AD CS) tools.

Run the regsvr32.exe command.
Modify the PATH system variable.
Configure the Active Directory Certificate Services server role from Server Manager.
Correct Answer: D
Section: (none)
Explanation
If you use a non-existent local path or folder as the destination folder, you will see the error:
The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
http://clintboessen.blogspot.com/2013/11/cannot-manage-active-directory.html
This error is caused because you have not yet finished the configuration of AD CS using Windows Server 2012
R2 Server Manager. In previous versions of Windows Server, these installation steps were part of "adding the
role", however in Server 2012 these additional configuration steps are hard to find and had me stumped.
To finish the configuration, click on AD CS on the left in server manager then hit the little "more" button that
comes up. On the "All Servers Task Details and Notifications" select Configure Active Directory Certificate
Services".
These have been marked in red in the following screenshot.
QUESTION 32
installed. You are currently running a training exercices for junior network admin. You are discussing the
endpoint types supportes by ADFS. Which of the following are supported types ? (Choose all that apply).
A.
B.
C.
D.
E.
SAML WebSSO
Anonymous
WS-Federation passive
Client Certificate
Ws-Trust
Correct Answer: ACE

Section: (none)
Explanation
QUESTION 33
installed. You are currently running a training exercices for junior network admin.You are discussing the
PKISync.ps1 tool. Which of the following is true with regards to the PKISync.ps1 ?
A. It adds a certificate template to the CA
B. it assists admin in diagnosing replication problems between windows domain controllers
C. it is used to display information about the digital certificates that are installed on a directaccess clients,
directaccess server or intranet resource
D. it copies in the source forest to the target forest
Correct Answer: D
Section: (none)
Explanation
QUESTION 34
Server1 that runs Windows Server 2012 R2. Server1 has the Active Directory Certificate Services server role
installed and is configured to support key archival and recovery.
You create a new Active Directory group named Group1.
You need to ensure that the members of Group1 can request a Key Recovery Agent certificate. The solution
must minimize the permissions assigned to Group1.
Which two permissions should you assign to Group1? (Each correct answer presents part of the solution.
Choose two.)
A.
B.
C.
D.
E.
Read
Auto Enroll
Write
Enroll
Full control
Correct Answer: AD
Section: (none)
Explanation
QUESTION 35
* Your network contains 3 AD forests. EAch forest contains and ADRM root cluster. All of the users in all of the
forests must be able to access protected content from any of the forests. You need to identify the minimum
number of AD RMS trusts required. How many trusts should you identify ?
A.
B.
C.
D.
2
3
4
6
Correct Answer: D
Section: (none)
Explanation
QUESTION 36
* Your network contains an AD domain named contoso.com All servers run Windows 2012 R2. The domain
contains a DC named DC1 that is configured as an enterprise root authority (CA). All users in the domain are
issued a smart card and are required to log on to their domain-joined client computer by using their smart card.
A user named User1 resigned and started to work for a competing company. You need to prevent User1 from
logging on to any computer in the domain. The solution must not prevent other users from logging on to the
domain. Which tool should you use ?
A.
B.
C.
D.
Active Directory Sites and services

Server manager
Certificate templates
Correct Answer: B
Section: (none)
Explanation
QUESTION 37
* Your network contains an Active Directory domain named contoso.com. A previous administrator
implemented a Proof of Concept installation of Active Directory Rights Management Services (AD RMS). After
the proof of concept was complete, the Active Directory Rights Management Services server role was removed.
You attempt to deploy AD RMS. During the configuration of AD RMS, you receive an error message indicating
that an existing AD RMS Service Connection Point (SCP) was found.
You need to remove the existing AD RMS SCP.
A. ADSI Edit
B. Active Directory users and computers
C. Active Directory Domain and trusts
D. Active Directory Sites and Services

E. Authorization manager
F. Certification authority
Correct Answer: AD
Section: (none)
Explanation
QUESTION 38
* [[[CE]]]] Your network contains an Active Directory domain named contoso.com. The domain contains a
member server named Server1 that has the Active Directory Federation Services server role installed. All
servers run Windows Server 2012.d
You complete the Active Directory Federation Services Configuration Wizard on Server1.
You need to ensure that client devices on the internal network can use Workplace Join.
Which two actions should you perform on Server1? (Each correct answer presents part of the solution. Choose
two.)
A.
B.
C.
D.
E.
Run Enable-AdfsDeviceRegistration -PrepareActiveDirectory.

Edit the multi-factor authentication global authentication policy settings.
Run Enable-AdfsDeviceRegistration.
Run Set-AdfsProxyProperties HttpPort 80.
Edit the primary authentication global authentication policy settings.
Correct Answer: BC
Section: (none)
Explanation
Google "Workplace Join" Keith Meyers blog shows a step-by-step configuration. Step 10 shows the answers.
QUESTION 39
Server1 is the enterprise root certification authority (CA) for contoso.com.
You need to enable CA role separation on Server1.
A.
B.
C.
D.
The Certutil command

The Authorization Manager console
The Certsrv command
The Certificates snap-in
Correct Answer: A
Section: (none)
Explanation
QUESTION 40
* Your network contains an Active Directory domain named contoso.com. The domain contains servers named
Server1 and Server2 that run Windows Server 2012 R2. Server1 has the Active Directory Federation Services
server role installed. Server2 is a file server.
Your company introduces a Bring Your Own Device (BYOD) policy.
You need to ensure that users can use a personal device to access domain resources by using Single Sign-On
(SSO) while they are connected to the internal network.
Choose two.)
A.
B.
C.
D.
E.
Enable the Device Registration Service in Active Directory.

Publish the Device Registration Service by using a Web Application Proxy
Configure Active Directory Federation Services (AD FS) for the Device Registration Service
Create and configure a sync share on Server2.
Install the Work Folders role service on Server2.
Correct Answer: AC
Section: (none)
Explanation
To enable seamless second factor authentication, persistent single sign-on (SSO) and conditional access for
Workplace Joined devices
In the AD FS Management console, navigate to Authentication Policies. Select Edit Global Primary
Authentication. Select the check box next to Enable Device Authentication, and then click OK.
QUESTION 41
* Your network contains an Active Directory domain named contoso.com. The domain contains a certification
authority (CA).
You suspect that a certificate issued to a Web server is compromised.
You need to minimize the likelihood that users will trust the compromised certificate.
Choose two.)
A.
B.
C.
D.
E.
Stop the Certificate Propagation service.

Modify the validity period of the Web Server certificate template.
Run certutil and specify the -revoke parameter.
Run certutil and specify the -deny parameter.
Publish the certificate revocation list (CRL).
Correct Answer: CE
Section: (none)
Explanation
QUESTION 42
Server1 that runs a Server Core installation of Windows Server 2012 R2.
You need to deploy a certification authority (CA) to Server1. The CA must support the auto- enrollment of
certificates.
Which two cmdlets should you run? (Each correct answer presents part of the solution.
Choose two.)
A.
B.
C.
D.
E.
Add-CAAuthoritylnformationAccess
Install-AdcsCertificationAuthority
Add-WindowsFeature
Install-AdcsOnlineResponder
Install-AdcsWebEnrollment
Correct Answer: BE
Section: (none)
Explanation
QUESTION 43
Server1 that runs Windows Server 2012 R2.
Server1 is an enterprise root certification authority (CA) for contoso.com.
You need to ensure that the members of a group named Group1 can request code signing
certificates. The certificates must be issued automatically to the members.
Choose two.)
A.
B.
C.
D.
E.
From Certificate Templates, modify the certificate template

From Certification Authority, add a certificate template to be issued.
From Certificate Authority, modify the CA properties.
From Certificate Templates, duplicate a certificate template
From Certificate Authority, stop and start the Active Directory Certificate Services (AD CS) service.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 44
* Your network contains two Active Directory forests named contoso.com and adatum.com. Each forest
contains an Active Directory Rights Management Services (AD RMS) root
cluster. All servers run Windows Server 2012 R2.
You need to ensure that the rights account certificates issued in adatum.com are accepted by the AD RMS root
cluster in contoso.com.
What should you do in each forest?
To answer, drag the appropriate actions to the correct forests. Each action may be used once, more than once,
or not at all. You may need to drag the split bar between panes or scroll to view content.
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 45
* Your network contains an Active directory forest named contoso.com. The forest contains two child domains
named east.contoso.com and west.contoso.com.
You install an Active Directory Rights Management Services (AD RMS) cluster in each child domain.
You discover that all of the users in the contoso.com forest are directed to the AD RMS cluster in
east.contoso.com.
You need to ensure that the users in west.contoso.com are directed to the AD RMS cluster in
west.contoso.com and that the users in east.contoso.com are directed to the AD RMS cluster in
east.contoso.com.
What should you do?
A.
B.
C.
D.
Modify the Service Connection Point (SCP).

Configure the Group Policy object (GPO) settings of the users in the west.contoso.com domain
Configure the Group Policy object (GPO) settings of the users in the east.contoso.com domain.
Modify the properties of the AD RMS cluster in west.contoso.com.
Correct Answer: B
Section: (none)
Explanation
You really shouldn't even be deploying more than one AD RMS cluster per forest.
QUESTION 46
named Server1 and Server3. The network contains a standalone server named Server2.
All servers run Windows Server 2012 R2. The servers are configured as shown in the following table.
Server3 hosts an application named Appl. App1 is accessible internally by using the URL https://
appl.contoso.com. App1 only supports Integrated Windows authentication.
You need to ensure that all users from the Internet are pre-authenticated before they can access Appl.
What should you do?
To answer, drag the appropriate servers to the correct actions. Each server may be used once, more than
once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 47
* Your network contains an Active Directory domain named adatum.com. The domain contains three servers.
Server1 is configured as shown in the exhibit. (Click the Exhibit button.)
Template1 contains custom cryptography settings that are required by the corporate security team.
On Server2, an administrator successfully installs a certificate based on Template1.
The administrator reports that Template1 is not listed in the Certificate Enrollment wizard on Server3, even after
selecting the Show all templates check box.
You need to ensure that you can install a server authentication certificate on Server3. The certificate must
comply with the cryptography requirements.
To answer, move the appropriate three actions from the list of actions to the answer area and arrange them in
the correct order.
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 48
Server1 that runs Windows Server 2012 R2.
You plan to install the Active Directory Federation Services server role on Server1 to allow for Workplace Join.
You run nslookup enterprise registration and you receive the following results:
You need to create a certificate request for Server1 to support the Active Directory Federation Services (AD
FS) installation.
How should you configure the certificate request?
To answer, drag the appropriate names to the correct locations. Each name may be used once, more than
once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 49
servers named Server1 and Server2 that run Windows Server 2012 R2.
Server1 has Microsoft SQL Server 2012 installed.
You need to configure Server2 as the first Active Directory Federation Services (AD FS) server in the domain.
The solution must ensure that the AD FS database is stored in a SQL Server database on Server1.
A. From the AD FS console, run the AD FS Federation Server Configuration Wizard and select the Standalone federation server option.
B. From Server Manager, install the Federation Service Proxy.
C. From Windows PowerShell, run Install-ADFSFarm.
D. From Server Manager, install the AD FS Web Agents
Correct Answer: C
Section: (none)
Explanation
QUESTION 50
You deploy a server named Server1 that runs Windows Server 2012 R2.
A local administrator installs the Active Directory Rights Management Services server role on Server1.
You need to ensure that AD RMS clients can discover the AD RMS cluster automatically.
What should you do?
A. Run the Active Directory Rights Management Services console by using an account that is a member of the
Schema Admins group, and then configure the proxy settings.
B. Run the Active Directory Rights Management Services console by using an account thats is a member of
the Schema Admins group, and then register the Service Connection Point (SCP).
C. Run the Active Directory Rights Management Services console by using an account that is a member of the
Enterprise Admins group, and then register the Service Connection Point (SCP).
D. Run the Active Directory Rights Management Services console by using an account that is a member of the
Enterprise Admins group, and then configure the proxy settings.
Correct Answer: C
Section: (none)
Explanation
QUESTION 51
* Your network contain an AD domain named contoso.com The domain contains a server named Server1 that
runs Windows server 2012 R2. Server1 has ADRM services installed. The domain contains a domain local
group named Group1. You create a rights policy template named template1. You assign group1 the rights to
template1. You need to ensure that all the members of Group1 can use Template1. What should you do ?
A.
B.
C.
D.
Configure the email address attribute of Group1

Convert the scope of Group1 to global
Convert the scope of Group1 to universal
Configure the email address attribute of all the users who are members of Group1
Correct Answer: D
Section: (none)
Explanation

Microsoft - Certdumps.70 412.

Cargado por

Información del documento

Título original

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

Microsoft - Certdumps.70 412.

Cargado por

Copyright:

Formatos disponibles

Microsoft.Certdumps.70-412.v2014-04-02.by.WENDY.

Exam Code: 70-412

Configure and manage high availability

To Host3 by using a storage migration

The Hyper-V Manager console connected to Server3

The Wusa command

The Add-CauClusterRole cmdlet

Site2 is a disaster recovery site.

Enable dynamic quorum management.

You must set up Cluster2 as a replica of Cluster1.

Enable BitLocker on Disk4.

Run cluster.exe and specify the pause parameter.

You need to configure the network settings for Cluster1.

You add two additional nodes to Cluster1.

J. The preferred owner

On a server in Cluster2, configure Cluster-Aware Updating.

On Server1, execute a Planned Failover.

Correct Answer: BDE

Reference: Network Load Balancing parameters

The fix is in:

You need to replicate virtual machines from Cluster1 to Cluster2.

From Hyper-V Manager on a node in Cluster2, create three virtual machines.

Correct Answer: BCD

What Is Hyper-V Replica?

Failover Replication Broker Architecture

The Set-NlbCluster cmdlet

the correct order.

File1 fails to start.

C. Assign the computer account permissions of Cluster2 to the Servers OU

You need to add Server3 to the NLB cluster.

Configure file and storage solutions

The iSCSI Target Server role service

central access policy (exhibit):

A. On the Classification tab of Folder1, set the classification to Information Technology.

File and Storage Services in Server Manager

You need to delete the isConfidential classification property.

Select and Place:

Remove the Deny permission for Group1 from Folder1.

F. Deny Group1 permission to Share1.

(Temp.Resource Equals "Department")

The Set-Volume cmdlet with the -driveletter parameter

The Set-Volume cmdlet with the -driveletter parameter

Folder2 has a conditional expression of User.Department= = MMarketing".

Server1 contains a folder named Folder1. Folder1 is shared as Share1.

Modify the properties of the System Files file group.

Modify the properties of the VirtualiSCSI2.vhd iSCSI virtual disk.

You plan to implement Data Deduplication on Server1.

Correct Answer: BDE

Disk Management in Computer Management

You should consider having the Data Deduplication feature enabled.

C. the iSCSI Target Storage Provider feature

a file management task

Run the Set-IscsiVirtualDisk cmdlet and specify the -DevicePath parameter.

You should consider configuring a scale-out File Server

Folder2 has a conditional expression of User.Department= = MMarketing".

Server1 contains a folder named Folder1. Folder1 is shared as Share1.

Each domain has a user named User1.

From Windows Explorer, modify the Sharing properties of Sync1.

Configure the Discovery settings of the iSCSI initiator.

Set-WmiInstance -Namespace root\wmi -Class WT_iSNSServer Arguments

Claims were not available in earlier versions of Windows.

Disable selective authentication on the existing forest trust.

Implement business continuity and disaster recovery