Microsoft 70-411 Online Practice Questions and Exam Preparation

Microsoft 70-411 Online Questions & Answers

• Question 211:

  Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2.

  You enable and configure Routing and Remote Access (RRAS) on Server1.

  You create a user account named User1.

  You need to ensure that User1 can establish VPN connections to Server1.

  What should you do?

  A. Create a network policy.
  B. Create a connection request policy.
  C. Add a RADIUS client.
  D. Modify the members of the Remote Management Users group.
  A. Create a network policy.

  ---

  Network policies are sets of conditions, constraints, and settings that allow you to designate who is authorized to connect to the network and the circumstances under which they can or cannot connect. Network policies can be viewed as rules. Each rule has a set of conditions and settings. Configure your VPN server to use Network Access Protection (NAP) to enforce health requirement policies.

  

  References:

  http: //technet. microsoft. com/en-us/library/hh831683. aspx http: //technet. microsoft. com/en-us/library/cc754107. aspx http: //technet. microsoft. com/en-us/library/dd314165%28v=ws. 10%29. aspx http: //technet. microsoft. com/en-us/

  windowsserver/dd448603. aspx http: //technet. microsoft. com/en-us/library/dd314165(v=ws. 10). aspx http: //technet. microsoft. com/en-us/library/dd469733. aspx http: //technet. microsoft. com/en-us/library/dd469660. aspx http: //technet.

  microsoft. com/en-us/library/cc753603. aspx http: //technet. microsoft. com/en-us/library/cc754033. aspx http: //technet. microsoft. com/en-us/windowsserver/dd448603. aspx

• Question 212:

  Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. You plan to use fine-grained password policies to customize the password policy settings ofcontoso.com.

  You need to identify to which Active Directory object types you can directly apply the fine- grained password policies.

  Which two object types should you identify? (Each correct answer presents part of the solution. Choose two.)

  A. Users
  B. Global groups
  C. computers
  D. Universal groups
  E. Domain local groups
  A. Users
  B. Global groups

  ---

  First off, your domain functional level must be at Windows Server 2008. Second, Fine- grained password policies ONLY apply to user objects, and global security groups. Linking them to universal or domain local groups is ineffective. I know

  what you're thinking, what about OU's? Nope, Fine-grained password policy cannot be applied to an organizational unit (OU) directly. The third thing to keep in mind is, by default only members of the Domain Admins group can set fine-

  grained password policies. However, you can delegate this ability to other users if needed.

  Fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of user objects) and global security groups.

  You can apply Password Settings objects (PSOs) to users or global security groups:

  References:

  http: //technet. microsoft. com/en-us/library/cc731589%28v=ws. 10%29. aspx http: //technet. microsoft. com/en-us/library/cc731589%28v=ws. 10%29. aspx http: //technet. microsoft. com/en-us/library/cc770848%28v=ws. 10%29. aspx http: //

  www. brandonlawson. com/active-directory/creating-fine-grained-password-policies/

• Question 213:

  Your network contains an Active Directory forest. The forest contains two domains named contoso.com and fabrikam.com. All of the DNS servers in both of the domains run Windows Server 2012 R2. The network contains two servers named

  Server1 and Server2. Server1 hosts an Active Directory-integrated zone for contoso.com. Server2 hosts an Active Directory-integrated zone for fabrikam.com. Server1 and Server2 connect to each other by using a WAN link.

  Client computers that connect to Server1 for name resolution cannot resolve names in fabrikam.com.

  You need to configure Server1 to resolve names in fabrikam.com. The solution must NOT require that changes be made to the fabrikam.com zone on Server2.

  What should you create?

  A. A trust anchor
  B. A stub zone
  C. A zone delegation
  D. A secondary zone
  B. A stub zone

  ---

  A stub zone is a copy of a zone that contains only those resource records necessary to identify the authoritative Domain Name System (DNS) servers for that zone. A stub zone is used to resolve names between separate DNS namespaces. This type of resolution may be necessary when a corporate merger requires that the DNS servers for two separate DNS namespaces resolve names for clients in both namespaces.

• Question 214:

  You have a failover cluster that contains five nodes. All of the nodes run Windows Server 2012 R2. All of the nodes have BitLocker Drive Encryption (BitLocker) enabled.

  You enable BitLocker on a Cluster Shared Volume (CSV).

  You need to ensure that all of the cluster nodes can access the CSV.

  Which cmdlet should you run next?

  A. Unblock-Tpm
  B. Add-BitLockerKeyProtector
  C. Remove-BitLockerKeyProtector
  D. Enable BitLockerAutoUnlock
  B. Add-BitLockerKeyProtector

  ---

  4. Add an Active Directory Security Identifier (SID) to the CSV disk using the Cluster Name Object (CNO) The Active Directory protector is a domain security identifier (SID) based protector for protecting clustered volumes held within the Active Directory infrastructure. It can be bound to a user account, machine account or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. For the cluster service to selfmanage BitLocker enabled disk volumes, an administrator must add the Cluster Name Object (CNO), which is the Active Directory identity associated with the Cluster Network name, as a BitLocker protector to the target disk volumes. Add-BitLockerKeyProtector - ADAccountOrGroupProtector ?ADAccountOrGroup $cno

• Question 215:

  Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012.

  You pre-create a read-only domain controller (P.QDC) account named RODC1.

  You export the settings of RODC1 to a file named Filel.txt.

  You need to promote RODC1 by using File1.txt.

  Which tool should you use?

  A. The Install-WindowsFeature cmdlet
  B. The Add-WindowsFeature cmdlet
  C. The Dism command
  D. The Install-ADDSDomainController cmdlet
  E. the Dcpromo command
  E. the Dcpromo command

• Question 216:

  Your network contains an Active Directory domain named contoso.com. Domain controllers run either Windows Server 2008 R2 Service Pack 1 (SP1) or Windows Server 2012 R2.

  You have a Password Settings object (PSOs) named PSO1.

  You need to view the settings of PSO1.

  Which tool should you use?

  A. Local Security Policy
  B. Get-ADFineGrainedPasswordPolicy
  C. Get-ADDomainControllerPasswordReplicationPolicy
  D. Server Manager
  B. Get-ADFineGrainedPasswordPolicy

  ---

  References: https://docs.microsoft.com/en-us/powershell/module/addsadministration/get-adfinegrainedpasswordpolicy?view=win10-ps

• Question 217:

  Your network contains three Network Policy Server (NPS) servers named NPS1, NPS2, and NPS3.

  NP51 is configured as a RADIUS proxy that forwards connection requests to a remote RADIUS server group named Group1.

  You need to ensure that NPS2 receives connection requests. NPS3 must only receive connection requests if NPS2 is unavailable.

  How should you configure Group1?

  A. Change the Priority of NPS3 to 10.
  B. Change the Weight of NPS2 to 10.
  C. Change the Weight of NPS3 to 10.
  D. Change the Priority of NPS2 to 10.
  A. Change the Priority of NPS3 to 10.

  ---

  Priority. Priority specifies the order of importance of the RADIUS server to the NPS proxy server. Priority level must be assigned a value that is an integer, such as 1, 2, or 3. The lower the number, the higher priority the NPS proxy gives to the RADIUS server. For example, if the RADIUS server is assigned the highest priority of 1, the NPS proxy sends connection requests to the RADIUS server first; if servers with priority 1 are not available, NPS then sends connection requests to RADIUS servers with priority 2, and so on. You can assign the same priority to multiple RADIUS servers, and then use the Weight setting to load balance between them.

• Question 218:

  Your network contains an Active Directory domain named adatum.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 is configured as a Network Policy Server (NPS) server and as a DHCP

  server.

  The network contains two subnets named Subnet1 and Subnet2. Server1 has a DHCP scope for each subnet.

  You need to ensure that noncompliant computers on Subnet1 receive different network policies than noncompliant computers on Subnet2.

  Which two settings should you configure? (Each correct answer presents part of the solution. Choose two.)

  A. The NAP-Capable Computers conditions
  B. The NAS Port Type constraints
  C. The Health Policies conditions
  D. The MS-Service Class conditions
  E. The Called Station ID constraints
  C. The Health Policies conditions
  D. The MS-Service Class conditions

  ---

  The NAP health policy server uses the NPS role service with configured health policies and system health validators (SHVs) to evaluate client health based on administrator-defined requirements. Based on results of this evaluation, NPS instructs the DHCP server to provide full access to compliant NAP client computers and to restrict access to client computers that are noncompliant with health requirements.

  If policies are filtered by DHCP scope, then MS-Service Class is configured in policy conditions.

• Question 219:

  Your network contains an Active Directory domain named contoso.com. The domain contains five servers. The servers are configured as shown in the following table.

  

  All desktop computers in contoso.com run Windows 8 and are configured to use BitLocker Drive Encryption (BitLocker) on all local disk drives. You need to deploy the Network Unlock feature. The solution must minimize the number of features and server roles installed on the network. To which server should you deploy the feature?

  A. Server1
  B. Server2
  C. Server3
  D. Server4
  E. Server5
  E. Server5

  ---

  The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the Windows Deployment Services role in Server Manager.

• Question 220:

  Your company has a main office and a branch office.

  The network contains an Active Directory domain named contoso.com.

  The main office contains a domain controller named DC1 that runs Windows Server 2012 R2. DC1 is a DNS server and hosts a primary zone for contoso.com. The branch office contains a member server named Server1 that runs Windows

  Server 2012 R2. Server1 is a DNS server and hosts a secondary zone for contoso.com.

  The main office connects to the branch office by using an unreliable WAN link.

  You need to ensure that Server1 can resolve names in contoso.com if the WAN link in unavailable for three days.

  Which setting should you modify in the start of authority (SOA) record?

  A. Retry interval
  B. Refresh interval
  C. Expires after
  D. Minimum (default) TTL
  C. Expires after

  ---

  Used by other DNS servers that are configured to load and host the zone to determine when zone data expires if it is not renewed