Microsoft 70-410 Online Practice Questions and Exam Preparation

Microsoft 70-410 Online Questions & Answers

• Question 421:

  Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the Remote Access server role installed.

  A user named User1 must connect to the network remotely. The client computer of User1 requires Challenge Handshake Authentication Protocol (CHAP) for remote connections. CHAP is enabled on Server1.

  You need to ensure that User1 can connect to Server1 and authenticate to the domain.

  What should you do from Active Directory Users and Computers?

  A. From the properties of User1, select Store password using reversible encryption.
  B. From the properties of Server1, assign the Allowed to Authenticate permission to User1.
  C. From the properties of User1, select Use Kerberos DES encryption types for this account.
  D. From the properties of Server1, select Trust this computer for delegation to any service (Kerberos only).
  A. From the properties of User1, select Store password using reversible encryption.

  ---

  The Store password using reversible encryption policy setting provides support for Applications that use protocols that require the user's password for authentication. Storing encrypted passwords in a way that irreversible means that the encrypted passwords can be decrypted. A knowledgeable attacker who is able to break this encryption can then log on to network resources by using the compromised account. For this reason, never enable Store password using reversible encryption for all users in the domain unless Application requirements outweigh the need to protect password information. If you use the Challenge Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Services (IAS), you must enable this policy setting. CHAP is an authentication protocol that is used by remote access and network connections. Digest Authentication in Internet Information Services (IIS) also requires that you enable this policy setting. If your organization uses CHAP through remote access or IAS, or Digest Authentication in IIS, you must configure this policy setting to Enabled. This presents a security risk when you App1y the setting through Group Policy on a user-by-user basis because it requires the appropriate user account object to be opened in Active Directory Users and Computers.

• Question 422:

  Your network contains an Active Directory domain named contoso.com. The domain contains a member server named Server1. Server1 runs Windows Server 2012 and has the File Server server role installed. On Server1, you create a share named Documents. The Share permission for the Documents share is configured as shown in the following table.

  

  The NTFS permission for the Documents share is configured as shown in the following table.

  

  You need to configure the Share and NTFS permissions for the Documents share. The permissions must meet the following requirements:

  Ensure that the members of a group named Group1 can read files and run programs in - Documents. Ensure that the members of Group1 can modify the permissions on their own files in Documents.

  Ensure that the members of Group1 can create folders and files in Documents.

  Minimize the number of permissions assigned to users and groups.

  How should you configure the permissions?

  To answer, drag the appropriate permission to the correct location. Each permission may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

  Select and Place:

  

  

  ---

  Granting a user Full Control NTFS permission on a folder enables that user to take ownership of the folder unless the user is restricted in some other way. Be cautious in granting Full Control.

  If you want to manage folder access by using NTFS permissions exclusively, set share permissions to Full Control for the Everyone group.

  NTFS permissions affect access both locally and remotely. NTFS permissions apply regardless of protocol. Share permissions, by contrast, apply only to network shares. Share permissions do not restrict access to any local user, or to any

  terminal server user, of the computer on which you have set share permissions. Thus, share permissions do not provide privacy between users on a computer used by several users, nor on a terminal server accessed by several users.

  Reference: http://technet.microsoft.com/en-us/library/cc754178.aspx

• Question 423:

  Your network contains an Active Directory forest. The forest contains two domains named contoso.com and corp.contoso.com. The forest contains four domain controllers. The domain controllers are configured as shown in the following table.

  

  All domain controllers are DNS servers. In the corp.contoso.com domain, you plan to deploy a new domain controller named DC5.

  You need to identify which domain controller must be online to ensure that DC5 can be promoted successfully to a domain controller.

  Which domain controller should you identify?

  A. DC1
  B. DC2
  C. DC3
  D. DC4
  C. DC3

• Question 424:

  Your network contains an Active Directory domain named contoso.com. The domain contains a print server named Server1 that runs Windows Server 2012 R2. Server1 contains a local group named Group1 that includes the Server

  Operators group, the Administrators group, and the Print Operators group.

  You share a printer named Printer1 on Server1.

  You need to configure Printer1 to meet the following requirements:

  Ensure that the members of Group1, the Server Operators group, the Administrators group, and the Print Operators group can send print jobs to Printer1.

  

  Prevent other users from sending print jobs to Printer1.

  

  Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

  A. Remove the permissions for the Creator Owner group.
  B. Assign the Print permission to the Administrators group.
  C. Remove the permissions for the Everyone group.
  D. Assign the Print permission to the Server Operators group.
  E. Assign the Print permission to Group1.
  C. Remove the permissions for the Everyone group.
  E. Assign the Print permission to Group1.

  ---

  C. To prevent other users from sending print jobs to Printer1

  E. To enable Group1 to send print jobs.

  Note: The Server Operators group, the Administrators group, and the Print Operators group are all built-in and already have permissions to send print jobs.

• Question 425:

  Note: This question is part of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is independent of the other questions in this series. Information and details provided in a question apply only to that question.

  Your network contains one Active Directory domain named contoso.com. The domain contains 10 domain controllers and a read-only domain controller (RODC) named RODC01.

  You plan to replace a domain controller named DC1. DC1 has the schema operations master role.

  You need to transfer the schema master role to another domain controller named DC10 before you remove Active Directory from DC1.

  Which tool should you use?

  A. the ntdsutil command
  B. the Set-ADDomainWindows PowerShell cmdlet
  C. the Install-ADDSDomainWindows PowerShell cmdlet
  D. the dsadd command
  E. the dsamain command
  F. the dsmgmt command
  G. the net user command
  H. the Set-ADForestWindows PowerShell cmdlet
  A. the ntdsutil command

  ---

  To transfer the schema master role using the command line:

  Open Command Prompt.

  Type:

  ntdsutil

  At the ntdsutil command prompt, type:

  roles

  At the fsmo maintenance command prompt, type:

  connection

  At the server connections command prompt, type:

  connect to server Domain Controller

  At the server connections command prompt, type:

  quit

  At the fsmo maintenance command prompt, type:

  transfer schema master

• Question 426:

  Your network contains an Active Directory domain named adatum.com. The domain contains a member server named L0N-DC1. L0N-DC1 runs Windows Server 2012 R2 and has the DHCP Server server role installed.

  The network contains 100 client computers and 50 IP phones. The computers and the phones are from the same vendor.

  You create an IPv4 scope that contains addresses from 172.16.0.1 to 172.16.1.254.

  You need to ensure that the IP phones receive IP addresses in the range of 172.16.1.100 to 172.16.1.200. The solution must minimize administrative effort.

  What should you create?

  A. Server level policies
  B. Reservations
  C. Filters
  D. Scope level policies
  D. Scope level policies

  ---

  The scope is already in place.

  Scope level policies are typically settings that only apply to that scope. They can also overwrite a setting that was set at the server level.

  When a client matches the conditions of a policy, the DHCP server responds to the clients based on the settings of a policy.

  Settings associated to a policy can be an IP address range and/or options.

  An administrator could configure the policy to provide an IP address from a specified sub-range within the overall IP address range of the scope.

  You can also provide different option values for clients satisfying this policy.

  Policies can be defined server wide or for a specific scope.

  A server wide policy ?on the same lines as server wide option values ?is applicable to all scopes on the DHCP server.

  A server wide policy however cannot have an IP address range associated with it.

  There a couple of ways to segregate clients based on the type of device. One way to do this is by using vendor class/identifier.

  This string sent in option 60 by most DHCP clients identify the vendor and thereby the type of the device.

  Another way to segregate clients based on device type is by using the MAC address prefix. The first three bytes of a MAC address is called OUI and identify the vendor or manufacturer of the device. By creating DHCP policies with conditions

  based on Vendor Class or MAC address prefix, you can now segregate the clients in your subnet in such a way, that devices of a specific type get an IP address only from a specified IP address range within the scope. You can also give

  different set of options to these clients.

  In conclusion, DHCP policies in Windows Server 2012 R2 enables grouping of clients/devices using the different criteria and delivering targeted network configuration to them. Policy based assignment in Windows Server 2012 R2 DHCP

  allows you to create simple yet powerful rules to administer DHCP on your network.

  References:

  Training Guide: Installing and Configuring Windows Server 2012 R2, Chapter 6: Network Administration, p.253

• Question 427:

  A company's server deployment team needs to install fourteen Windows Server 2012 R2 to handle the expected increase in holiday traffic. The team would like the option of switching the servers between Server Core and Full GUI servers and do not want to be locked in to their first choice.

  The server team would like four of the servers to include the Windows 8 Shell.

  Which installation option is required for these servers?

  A. Server Core
  B. Desktop Experience
  C. Server with a GUI
  D. Minimal Server Interface
  B. Desktop Experience

  ---

  The Desktop Experience installation option includes the Windows 8 Shell feature. This installation option also includes other features available for installation not found in the other three; such as Themes, Windows Store and support for

  Windows Store apps, and Windows Media Player.

  Quick Tip: To completely remove a feature and the binary files from the disk, use the Windows PowerShell command Uninstall-WindowsFeature. For example, to remove Desktop Experience:

  Uninstall-WindowsFeature Desktop-Experience 璕emove.

• Question 428:

  Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1. Server1 runs Windows Server 2012 R2.

  You create a group Managed Service Account named gservice1.

  You need to configure a service named Service1 to run as the gservice1 account.

  How should you configure Service1?

  A. From the Services Console, configure the recovery settings
  B. From a command prompt, run sc.exe and specify the config parameter
  C. From Windows PowerShell, run Set-Service and specify the -PassThrough parameter
  D. From a command prompt, run sc.exe and specify the sdset parameter
  B. From a command prompt, run sc.exe and specify the config parameter

  ---

  Sc config, Modifies the value of a service's entries in the registry and in the Service Control Manager database.

  obj= { | }

  Specifies a name of an account in which a service will run, or specifies a name of the Windows driver object in which the driver will run. The default setting is LocalSystem.

  password=

  Specifies a password. This is required if an account other than the LocalSystem account is used.

• Question 429:

  Your network contains one Active Directory domain named contoso.com. The domain contains 2,000 client computers used by students.

  You recently discover an increase in calls to the helpdesk that relate to security policy to meet the following requirement:

  Modify the UserName of the built-in account named Administrator

  Support a time mismatch between client computers and domain controllers of up to three minutes.

  Which Two security settings should you modify?

  A. Account Policies
  B. Password Policy
  C. Account Lockout Policy
  D. Kerberos Policy
  E. Local Policies
  F. Audit Policy
  G. User Rights Assignment
  H. Security Options
  D. Kerberos Policy
  H. Security Options

  ---

  In Group Policy Object Editor, click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click Security Options.

  In the details pane, double-click Accounts: Rename administrator account.

• Question 430:

  Your infrastructure divided in 2 sites. You have a forest root domain and child domain. There is only one DC on site 2 with no FSMO roles. The link goes down to site 2 and no users can log on. What FSMO roles you need on to restore the access?

  A. Infrastructure master
  B. RID master
  C. Domain Naming master
  D. PDC Emulator
  D. PDC Emulator

  ---

  The PDC emulator is used as a reference DC to double-check incorrect passwords and it also receives new password changes.

  PDC Emulator is the most complicated and least understood role, for it runs a diverse range of critical tasks. It is a domain-specific role, so exists in the forest root domain and every child domain. Password changes and account lockouts are

  immediately processed at the PDC Emulator for a domain, to ensure such changes do not prevent a user logging on as a result of multi-master replication delays, such as across Active Directory sites.