Microsoft 70-411 Online Practice Questions and Exam Preparation

Microsoft 70-411 Online Questions & Answers

• Question 61:

  Your network contains an Active Directory domain named adatum.com.

  A network administrator creates a Group Policy central store.

  After the central store is created, you discover that when you create new Group Policy objects (GPOs), the GPOs do not contain any Administrative Templates.

  You need to ensure that the Administrative Templates appear in new GPOs.

  What should you do?

  A. Add your user account to the Group Policy Creator Owners group.
  B. Configure all domain controllers as global catalog servers.
  C. Copy files from %Windir%\Policydefinitions to the central store.
  D. Modify the Delegation settings of the new GPOs.
  C. Copy files from %Windir%\Policydefinitions to the central store.

  ---

  To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder on a domain controller. The Central Store is a file location that is checked by the Group Policy tools. The Group Policy tools use any .admx files that are in the Central Store. The files that are in the Central Store are later replicated to all domain controllers in the domain.

• Question 62:

  Your network contains an Active Directory domain named contoso.com. The Active Directory Recycle bin is enabled for contoso.com.

  A support technician accidentally deletes a user account named User1. You need to restore the User1 account.

  Which tool should you use?

  A. Ldp
  B. Esentutl
  C. Active Directory Administrative Center
  D. Ntdsutil
  C. Active Directory Administrative Center

• Question 63:

  Your network contains one Active directory forest named contoso.com. The forest contains a single domain. All domain controllers are virtual machines that run Windows Server 2012 R2. The functional level of the domain and the forest is Windows Server 2012 R2.

  The forest contains the domain controllers configured as shown in the following table.

  

  In the table below, select the domain controller that can be cloned by using domain controller cloning and select the domain controller that must be online to perform domain controller cloning. NOTE: Make only one selection in each column.

  Hot Area:

  

  

  ---

  References:

  http://blogs.technet.com/b/canitpro/archive/2013/06/12/step-by-step-domain-controller-cloning.aspx

  PDC Emulator must be online to perform Domain Controller Cloning.

  The following server roles are not supported for cloning:

  Dynamic Host Configuration Protocol (DHCP)

  Active Directory Certificate Services (AD CS)

  Active Directory Lightweight Directory Services (AD LDS)

  https://technet.microsoft.com/en-us/library/hh831734.aspx#virtualized_dc_cloning

  http://blogs.technet.com/b/canitpro/archive/2013/06/12/step-by-step-domain-controller-cloning.aspx

• Question 64:

  Your network contains one Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2.

  A central store is configured on a domain controller named DC1.

  You have a custom administrative template file named App1.admx. App1.admx contains application settings for an application named App1.

  You copy App1.admx to the central store. You create a new Group Policy object (GPO) named App1.Settings.

  When you edit App1.Settings, you receive the warning message shown in the following exhibit.

  

  You need to ensure that you can edit the settings for App1 from the app1_settings GPO.

  A. Modify the permissions of the ADMX file.
  B. Copy an ADML file to the central store.
  C. Add an administrative Template to the App1_settings GPO.
  D. Move the ADMX file to the local Policy definitions folder.
  B. Copy an ADML file to the central store.

  ---

  This error indicates that the .adml file of Appc1.admx is not found in your central store.

  Please check whether the App1.adml file exists in

  '\SYSVOL\domainname\Policies\PolicyDefinitions\en-us'. (en-us is for English version ADML files)

  https://social.technet.microsoft.com/Forums/windowsserver/en-US/ef9d69db-3ae1-4ec3- 9e21-b6398556ec15/error-in-gpmc?forum=winserverGP

• Question 65:

  Your network contains an Active Directory domain named contoso.com. The domain contains more than 100 Group Policy objects (GPOs). Currently, there are no enforced GPOs.

  The domain is renamed to adatum.com.

  Group Policies no longer function correctly.

  You need to ensure that the existing GPOs are applied to users and computers. You want to achieve this goal by using the minimum amount of administrative effort.

  What should you use?

  A. Dcgpofix
  B. Get-GPOReport
  C. Gpfixup
  D. Gpresult
  E. Gpedit. msc
  F. Import-GPO
  G. Restore-GPO
  H. Set-GPInheritance
  I. Set-GPLink
  J. Set-GPPermission
  C. Gpfixup

  ---

  You can use the gpfixup command-line tool to fix the dependencies that Group Policy objects (GPOs) and Group Policy links in Active Directory Domain Services (AD DS) have on Domain Name System (DNS) and NetBIOS names after a domain rename operation.

  Reference: http: //technet. microsoft. com/en-us/library/hh852336(v=ws. 10). aspx

• Question 66:

  You have a server named Servers that runs Windows Server 2012 R2. Servers has the Windows Deployment Services server role installed.

  Server5 contains several custom images of Windows 8.

  You need to ensure that when 32-bit client computers start by using PXE, the computers automatically install an image named Image 1.

  What should you configure?

  To answer, select the appropriate tab in the answer area.

  Hot Area:

  

  

• Question 67:

  You have Windows Server 2012 R2 installation media that contains a file named Install.wim. You need to identify the permissions of the mounted images in Install.wim.

  What should you do?

  A. Run dism.exe and specify the /get-mountedwiminfo parameter.
  B. Run imagex.exe and specify the /verify parameter.
  C. Run imagex.exe and specify the /ref parameter.
  D. Run dism.exe and specify the/get-imageinfo parameter.
  A. Run dism.exe and specify the /get-mountedwiminfo parameter.

  ---

  /Get-MountedWimInfo Lists the images that are currently mounted and information about the mounted image such as read/write permissions, mount location, mounted file path, and mounted image index.

  References:

  http: //technet. microsoft. com/en-us/library/cc749447(v=ws. 10). aspx http: //technet. microsoft. com/en-us/library/dd744382(v=ws. 10). aspx http: //technet. microsoft. com/en-us/library/hh825224. aspx

• Question 68:

  Your network contains 25 Web servers that run Windows Server 2012 R2.

  You need to configure auditing policies that meet the following requirements:

  Generate an event each time a new process is created. Generate an event each time a user attempts to access a file share.

  Which two auditing policies should you configure? To answer, select the appropriate two auditing policies in the answer area.

  A. Audit access management (Not Defined)
  B. Audit directory service access (Not Defined)
  C. Audit logon events (Not Defined)
  D. Audit Object (Not Defined)
  E. Audit policy change(Not Defined)
  F. Audit privilege use (Not Defined)
  G. Audit process tracking (Not Defined)
  H. Audit system events(Not Defined)
  D. Audit Object (Not Defined)
  G. Audit process tracking (Not Defined)

  ---

  Explanation: * Audit Object Access

  Determines whether to audit the event of a user accessing an object (for example, file, folder, registry key, printer, and so forth) which has its own system access control list (SACL) specified.

  * Audit Process Tracking

  Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. Reference: Audit object access https://technet.microsoft.com/en-us/library/cc976403.aspx

  Reference: Audit Process Tracking https://technet.microsoft.com/en-us/library/cc976411.aspx

• Question 69:

  Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Network Policy Server server role installed.

  You need to allow connections that use 802.1x. What should you create?

  A. A network policy that uses Microsoft Protected EAP (PEAP) authentication
  B. A network policy that uses EAP-MSCHAP v2 authentication
  C. A connection request policy that uses EAP-MSCHAP v2 authentication
  D. A connection request policy that uses MS-CHAP v2 authentication
  C. A connection request policy that uses EAP-MSCHAP v2 authentication

  ---

  802.1X uses EAP, EAP-TLS, EAP-MS-CHAP v2, and PEAP authentication methods:

  EAP (Extensible Authentication Protocol) uses an arbitrary authentication method, such as certificates, smart cards, or credentials. EAP-TLS (EAP-Transport Layer Security) is an EAP type that is used in certificate- based security

  environments, and it provides the strongest authentication and key determination method.

  EAP-MS-CHAP v2 (EAP-Microsoft Challenge Handshake Authentication Protocol version 2) is a mutual authentication method that supports password-based user or computer authentication.

  PEAP (Protected EAP) is an authentication method that uses TLS to enhance the security of other EAP authentication protocols.

  Connection request policies are sets of conditions and settings that allow network administrators to designate which Remote Authentication Dial-In User Service (RADIUS) servers perform the authentication and authorization of connection

  requests that the server running Network Policy Server (NPS) receives from RADIUS clients. Connection request policies can be configured to designate which RADIUS servers are used for RADIUS accounting. With connection request

  policies, you can use NPS as a RADIUS server or as a RADIUS proxy, based on factors such as the following:

  The time of day and day of the week

  The realm name in the connection request

  The type of connection being requested

  The IP address of the RADIUS client

• Question 70:

  Your network contains one Active Directory domain named contoso.com. The forest functional level is Windows Server 2012. All servers run Windows Server 2012 R2. All client computers run Windows 8.1.

  The domain contains 10 domain controllers and a read-only domain controller (RODC) named RODC01. All domain controllers and RODCs are hosted on a Hyper-V host that runs Windows Server 2012 R2.

  You need to identify whether the members of the Protected Users group will be prevented from authenticating by using NTLM.

  Which cmdlet should you use?

  A. Get-ADGroupMember
  B. Get-ADDomainControllerPasswordReplicationPolicy
  C. Get-ADDomainControllerPasswordReplicationPolicyUsage
  D. Get-ADDomain
  E. Get-ADOptionalFeature
  F. Get-ADAccountAuthorizationGroup
  G. Get-ADAuthenticationPolicySilo
  H. Get-ADAuthenticatonPolicy
  D. Get-ADDomain

  ---

  Explanation: If the domain functional level is Windows Server 2012 R2, members of the (Protected Users) group can no longer authenticate by using NTLM authentication. So we need to check the domain functional level with Get-ADDomain. https://technet.microsoft.com/en-us/library/Dn518179.aspx