Microsoft 70-411 Online Practice Questions and Exam Preparation

Microsoft 70-411 Online Questions & Answers

• Question 171:

  Your network contains a RADIUS server named Admin1.

  You install a new server named Server2 that runs Windows Server 2012 R2 and has Network Policy Server (NPS) installed.

  You need to ensure that all accounting requests for Server2 are forwarded to Admin1.

  On Server2, you create a new remote RADIUS server group named Group1 that contains Admin1.

  What should you configure next on Server2?

  To answer, select the appropriate node in the answer area.

  Hot Area:

  

  

• Question 172:

  Your network contains an Active Directory domain named adatum.com. The domain has a certification authority (CA) named CA1.

  All servers run Windows Server 2012 R2. All client computers run Windows 10.

  You need to add a data recovery agent for the Encryption File System (EFS) to the domain.

  What should you do?

  A. From the Default Domain Controllers Policy, select Add Data Recovery Agent.
  B. From the Default Domain Controllers Policy, select Create Data Recovery Agent.
  C. From the Default Domain Policy, select Add Data Recovery Agent.
  D. From the Default Domain Policy, select Create Data Recovery Agent.
  C. From the Default Domain Policy, select Add Data Recovery Agent.

  ---

  References: https://msdn.microsoft.com/library/cc875821.aspx#EJAA

• Question 173:

  You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the Windows Server Update Services server role installed. You need to configure Windows Server Update Services (WSUS) to support Secure Sockets Layer (SSL).

  Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)

  A. From Internet Information Services (IIS) Manager, modify the connection strings of the WSUS website.
  B. Install a server certificate.
  C. Run the wsusutil.exe command.
  D. Run the iisreset.exe command.
  E. From Internet Information Services (IIS) Manager, modify the bindings of the WSUS website.
  B. Install a server certificate.
  C. Run the wsusutil.exe command.
  E. From Internet Information Services (IIS) Manager, modify the bindings of the WSUS website.

  ---

  Certificate needs to be installed to IIS, Bindings modifies and wsusutil run.

  1.

  First we need to request a certificate for the WSUS web site, so open IIS, click the server name, then open Server Certificates.

  On the Actions pane click Create Domain Certificate.

  2.

  To add the signing certificate to the WSUS Web site in IIS 7.0 On the WSUS server, open Internet Information Services (IIS) Manager. Expand Sites, right-click the WSUS Web site, and then click Edit Bindings. In the Site Binding dialog

  box, select the https binding, and click Edit to open the Edit Site Binding dialog box.

  Select the appropriate Web server certificate in the SSL certificate box, and then click OK. Click Close to exit the Site Bindings dialog box, and then click OK to close Internet Information Services (IIS) Manager.

  3.

  WSUSUtil.exe configuressl (the name in your certificate)

  WSUSUtil.exe configuressl.

  4.

  The next step is to point your clients to the correct url, by modifying the existing GPO or creating a new one. Open the policy Specify intranet Microsoft update service location and type the new url in the form https: //YourWSUSserver. The gpupdate /force command will just download all the GPO's and re-apply them to the client, it won't force the client to check for updates. For that you need to use wuauclt /resetautorization /detectnow followed by wuauclt /reportnow References:

  http: //technet. microsoft. com/en-us/library/bb680861. aspx http: //technet. microsoft. com/en-us/library/bb633246. aspx http: //www. vkernel. ro/blog/configure-wsus-to-use-ssl

• Question 174:

  Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the following BitLocker Drive Encryption (BitLocker) settings:

  

  You need to ensure that drive D will unlock automatically when Server1 restarts. What command should you run? To answer, select the appropriate options in the answer area.

  Hot Area:

  

  

• Question 175:

  Your network contains one Active Directory domain named controso.com. The domain contains a file server named Server01 that runs Windows Server 2012 R2. Server01 has an operating system drive and a data drive. Server01 has a

  Trusted Platform Module (TPM).

  You need to enable BitLocker Drive Encryption (BitLocker) for the data drive on Server01.

  Which cmdlet should you run first?

  A. Lock-Bitlocker
  B. Enable-WindowsOptionalFeature
  C. Enable- TPMAutoProvisioning
  D. Unblock-TPM
  B. Enable-WindowsOptionalFeature

  ---

  References: https://technet.microsoft.com/en-us/library/jj612864(v=ws.11).aspx

• Question 176:

  Your network contains an Active Directory domain named adatum.com.

  You have a standard primary zone named adatum.com.

  You need to provide a user named User1 the ability to modify records in the zone. Other users must be prevented from modifying records in the zone.

  What should you do first?

  A. Run the Zone Signing Wizard for the zone.
  B. From the properties of the zone, modify the start of authority (SOA) record.
  C. From the properties of the zone, change the zone type.
  D. Run the New Delegation Wizard for the zone.
  C. From the properties of the zone, change the zone type.

  ---

  The Zone would need to be changed to a AD integrated zone When you use directory- integrated zones, you can use access control list (ACL) editing to secure a dnsZone object container in the directory tree. This feature provides detailed access to either the zone or a specified resource record in the zone. For example, an ACL for a zone resource record can be restricted so that dynamic updates are allowed only for a specified client computer or a secure group, such as a domain administrators group. This security feature is not available with standard primary zones.

  DNS update security is available only for zones that are integrated into Active Directory. After you integrate a zone, you can use the access control list (ACL) editing features that are available in the DNS snap-in to add or to remove users or groups from the ACL for a specific zone or for a resource record.

  Standard (not an Active Directory integrated zone) has no Security settings:

  

  You need to firstly change the "Standard Primary Zone" to AD Integrated Zone:

  

  Now there's Security tab:

  

  References:

  http: //technet. microsoft. com/en-us/library/cc753014. aspx http: //technet. microsoft. com/en-us/library/cc726034. aspx http: //support. microsoft. com/kb/816101

• Question 177:

  Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. All domain controllers run Windows Server 2012 R2. The domain contains two domain controllers. The domain controllers are configured as shown in the following table.

  

  Active Directory Recycle Bin is enabled.

  You discover that a support technician accidentally removed 100 users from an Active Directory group named Group1 an hour ago.

  You need to restore the membership of Group1.

  What should you do?

  A. Recover the items by using Active Directory Recycle Bin.
  B. Modify the Recycled attribute of Group1.
  C. Perform tombstone reanimation.
  D. Perform an authoritative restore.
  E. Perform a non- authoritative restore.
  A. Recover the items by using Active Directory Recycle Bin.

  ---

  Active Directory Recycle Bin helps minimize directory service downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects without restoring Active Directory data from backups, restarting Active

  Directory Domain Services (AD DS), or rebooting domain controllers.

  When you enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes of the deleted Active Directory objects are preserved and the objects are restored in their entirety to the same consistent logical state that they were

  in immediately before deletion. For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion, within and across domains.

• Question 178:

  Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2.

  The network contains several group Managed Service Accounts that are used by four member servers.

  You need to ensure that if a group Managed Service Account resets a password of a domain user account, an audit entry is created.

  You create a Group Policy object (GPO) named GPO1.

  What should you do next?

  A. In GPO1, configure the Advanced Audit Policy Configuration settings for Audit User Account Management. Link GPO1 to the Domain Controllers organizational unit (OU).
  B. In GPO1, configure the Advanced Audit Policy Configuration settings for Audit User Account Management. Move the member servers to a new organizational unit (OU). Link GPO1 to the new OU.
  C. In GPO1, configure the Advanced Audit Policy Configuration settings for Audit Sensitive Privilege Use. Link GPO1 to the Domain Controllers organizational unit (OU).
  D. In GPO1, configure the Advanced Audit Policy Configuration settings for Audit Sensitive Privilege Use. Move the member servers to a new organizational unit (OU). Link GPO1 to the new OU.
  A. In GPO1, configure the Advanced Audit Policy Configuration settings for Audit User Account Management. Link GPO1 to the Domain Controllers organizational unit (OU).

  ---

  Audit User Account Management

  This security policy setting determines whether the operating system generates audit events when the following user account management tasks are performed:

  A user account is created, changed, deleted, renamed, disabled, enabled, locked out, or unlocked.

  A user account password is set or changed.

  Security identifier (SID) history is added to a user account. The Directory Services Restore Mode password is set. Permissions on accounts that are members of administrators groups are changed. Credential Manager credentials are backed

  up or restored. This policy setting is essential for tracking events that involve provisioning and managing user accounts.

• Question 179:

  Your network contains a production Active Directory forest named contoso.com and a test Active Directory forest named test.contoso.com. There is no network connectivity between contoso.com and test.contoso.com.

  The test.contoso.com domain contains a Group Policy object (GPO) named GPO1.

  You need to apply the settings in GPO1 to the contoso.com domain.

  Which four actions should you perform?

  To answer, move the four appropriate actions from the list of actions to the answer area and arrange them in the correct order.

  Select and Place:

  

  

• Question 180:

  Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Network Policy Server role service installed.

  You plan to configure Server1 as a Network Access Protection (NAP) health policy server for VPN enforcement by using the Configure NAP wizard.

  You need to ensure that you can configure the VPN enforcement method on Server1 successfully.

  What should you install on Server1 before you run the Configure NAP wizard?

  A. A system health validator (SHV)
  B. The Host Credential Authorization Protocol (HCAP)
  C. A computer certificate
  D. The Remote Access server role
  C. A computer certificate

  ---

  Configure NAP enforcement for VPN

  This checklist provides the steps required to deploy computers with Routing and Remote Access Service installed and configured as VPN servers with Network Policy Server (NPS) and Network Access Protection (NAP).