Microsoft 70-412 Online Practice Questions and Exam Preparation

Microsoft 70-412 Online Questions & Answers

• Question 211:

  Your network contains an Active Directory forest. The forest contains one domain and two sites named Site1 and Site2. Site1 contains a domain controller named DC1. Site2 contains a domain controller named DC2.

  Replication is allowed between the sites daily from 01:00 to 05:00.

  At 14:00, an administrator deletes an organizational unit (OU) named OU1 from DC1. One hour later, on DC2, an administrator creates a user account named User1 in OU1.

  Where will you find the User1 object after replication occurs between the sites?

  A. in the Active Directory Recycle Bin
  B. in the ActiveDirectoryUpdate container
  C. in the LostAndFound container
  D. in the DomainUpdates container
  C. in the LostAndFound container

  ---

  References: http://techguyvijay.blogspot.com/2012/03/lost-and-found-folder-in-active.html

• Question 212:

  Your network contains an Active Directory forest named contoso.com. The forest contains two domains named contoso.com and childl.contoso.com. The domains contain three domain controllers. The domain controllers are configured as shown in the following table.

  

  You need to ensure that the KDC support for claims, compound authentication, and kerberos armoring setting is enforced in the child1.contoso.com domain. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

  A. Upgrade DC1 to Windows Server 2012 R2.
  B. Upgrade DC11 to Windows Server 2012 R2.
  C. Raise the domain functional level of childl.contoso.com.
  D. Raise the domain functional level of contoso.com.
  E. Raise the forest functional level of contoso.com.
  A. Upgrade DC1 to Windows Server 2012 R2.
  D. Raise the domain functional level of contoso.com.

  ---

  The root domain in the forest must be at Windows Server 2012level. First upgrade DC1 to this level (A), then raise the contoso.com domain functional level to Windows Server 2012 (D).

  (A) To support resources that use claims-based access control, the principal's domains will need to be running one of the following:

  All Windows Server 2012 domain controllers

  Sufficient Windows Server 2012domain controllers to handle all the Windows 8 device authentication requests

  Sufficient Windows Server 2012 domain controllers to handle all the Windows Server 2012 resource protocol transition requests to support non-Windows 8 devices.

  References: What's New in Kerberos Authentication

  https://technet.microsoft.com/en-us/library/hh831747.aspx.

• Question 213:

  HOTSPOT

  Your network contains four Active Directory forests. The forests are configured as shown in the following table.

  

  A two-way forest trust exists between adatum.com and Marketing.adatum.com. A two-way forest trust also exists between adatum.com and Sales.adatum.com. An external trust exists between adatum.com and contoso.com.

  You plan to create a one-way forest trust from Marketing.adatum.com to Sales.adatum.com

  You need to ensure that any cross-forest authentication requests are sent to the domain controllers in the appropriate forest after the trust is created.

  How should you configure the existing forest trust settings?

  In the table below, identify which configuration must be performed in each forest.

  Note: Make only one selection in each column. Each correct selection is worth one point.

  Hot Area:

  

  

• Question 214:

  Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1 that runs Windows Server 2012 R2. All client computers run Windows 8. You need to configure a custom Access Denied message that will be displayed to users when they are denied access to folders or files on Server1.

  What should you configure?

  A. A classification property
  B. The File Server Resource Manager Options
  C. A file management task
  D. A file screen template
  B. The File Server Resource Manager Options

  ---

  Access-denied assistance can be configured by using the File Server Resource Manager console on the file server.

  Note: Access-denied assistance is a new feature in Windows Server 2012, which provides the following ways to troubleshoot issues that are related to access to files and folders:

  Self-assistance. If a user can determine the issue and remediate the problem so that they can get the requested access, the impact to the business is low, and no special exceptions are needed in the central access policy. Access-denied

  assistance provides an access-denied message that file server administrators can customize with information specific to their organizations. For example, an administrator could set the message so that users can request access from a data

  owner without involving the file server administrator.

  Reference: Scenario: Access-Denied Assistance

• Question 215:

  Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1 that runs Windows Server 2012 R2. DC1 has the DNS Server server role installed.

  The network contains client computers that run either Linux, Windows 7, or Windows 8.1.

  You have a standard primary zone named adatum.com as shown in the exhibit. (Click the Exhibit button.)

  

  You plan to configure Name Protection on all of the DHCP servers.

  You need to configure the adatum.com zone to support Name Protection.

  Which two configurations should you perform from DNS Manager? (Each correct answer presents part of the solution. Choose two.)

  A. Sign the zone.
  B. Store the zone in Active Directory.
  C. Modify the Security settings of the zone.
  D. Configure Dynamic updates.
  E. Add a DNS key record
  B. Store the zone in Active Directory.
  D. Configure Dynamic updates.

  ---

  Name protection requires secure update to work. Without name protection DNS names may be hijacked.

  You can use the following procedures to allow only secure dynamic updates for a zone. Secure dynamic update is supported only for Active Directoryintegrated zones. If the zone type is configured differently, you must change the zone type and directory-integrate the zone before securing it for Domain Name System (DNS) dynamic updates.

  1.

  (B) Convert primary DNS server to Active Directory integrated primary

  2.

  (D) Enable secure dynamic updates

  

  Reference: DHCP: Secure DNS updates should be configured if Name Protection is enabled on any IPv4 scope http://technet.microsoft.com/en-us/library/ee941152(v=ws.10).aspx

• Question 216:

  You have a server named Server1 that runs Windows Server 2012 R2.

  You download and install the Windows Azure Online Backup Service Agent on Server1.

  You need to ensure that you can configure an online backup from Windows Server Backup.

  What should you do first?

  A. From Windows Server Backup, run the Register Server Wizard.
  B. From Computer Management, add the Server1computer account to the Backup Operators group.
  C. From a command prompt, run wbadmin.exeenable backup.
  D. From the Services console, modify the Log On settings of the Windows Azure Online Backup Service Agent.
  A. From Windows Server Backup, run the Register Server Wizard.

  ---

  Enables you to back up and restore your operating system, volumes, files, folders, and applications from a command prompt. Incorrect Answers:

  B. To register a server for use with Windows Azure Backup you must run the register server wizard

  References: https://technet.microsoft.com/en-us/library/hh831677.aspx

• Question 217:

  You are configuring AD FS. Which server should you deploy on your organization's perimeter network?

  A. Web application proxy
  B. Relying-party server
  C. Federation server
  D. Claims-provider server
  A. Web application proxy

• Question 218:

  HOTSPOT

  Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Active Directory Certificate Services server role installed and configured.

  For all users, you are deploying smart cards for logon. You are using an enrollment agent to enroll the smart card certificates for the users.

  You need to configure the Contoso Smartcard Logon certificate template to support the use of the enrollment agent.

  Which setting should you modify? To answer, select the appropriate setting in the answer area.

  Hot Area:

  

  

  ---

  In application policy drop-down list select Certificate Request Agent. The Issuance Requirements Tab

  * Application policy. This option specifies the application policy that must be included in the signing certificate used to sign the certificate request. It is enabled when Policy type required in signature is set to either Application policy or Both application and issuance policy.

  Reference: Administering Certificate Templates

  http://technet.microsoft.com/en-us/library/cc725621(v=WS.10)

• Question 219:

  Your network contains a perimeter network and an internal network. The internal network contains an Active Directory Federation Services (AD FS) 2.1 infrastructure. The infrastructure uses Active Directory as the attribute store.

  You plan to deploy a federation server proxy to a server named Server2 in the perimeter network.

  You need to identify which value must be included in the certificate that is deployed to Server2.

  What should you identify?

  A. The FQDN of the AD FS server
  B. The name of the Federation Service
  C. The name of the Active Directory domain
  D. The public IP address of Server2
  A. The FQDN of the AD FS server

  ---

  To add a host (A) record to corporate DNS for a federation server On a DNS server for the corporate network, open the DNS snap-in.

  1.

  In the console tree, right-click the applicable forward lookup zone, and then click New Host (A).

  2.

  In Name, type only the computer name of the federation server or federation server cluster (for example, type fs for the fully qualified domain name (FQDN) fs.adatum.com).

  3.

  In IP address, type the IP address for the federation server or federation server cluster (for example, 192.168.1.4).

  4.

  Click Add Host.

  References: Add a host (A) record to corporate DNS for a federation server https://technet.microsoft.com/en-us/library/cc776786(v=ws.10).aspx

• Question 220:

  Your network contains an Active Directory forest. The forest contains two domains named contoso.com and fabrikam.com. The functional level of the forest is Windows Server 2003.

  You have a domain outside the forest named adatum.com.

  You need to configure an access solution to meet the following requirements:

  Users in adatum.com must be able to access resources in contoso.com.

  Users in adatum.com must be prevented from accessing resources in fabrikam.com.

  Users in both contoso.com and fabrikam.com must be prevented from accessing resources in adatum.com.

  What should you create?

  A. a one-way realm trust from contoso.com to adatum.com
  B. a one-way realm trust from adatum.com to contoso.com
  C. a one-way external trust from contoso.com to adatum.com
  D. a one-way external trust from adatum.com to contoso.com
  C. a one-way external trust from contoso.com to adatum.com

  ---

  The contoso domain must trust the adatum domain.

  Note: In a One-way: incoming trust, users in your (trusted) domain can be authenticated in the other (trusting) domain. Users in the other domain cannot be authenticated in your domain.

  Incorrect Answers:

  A, B: Use realm trusts to form a trust relationship between a non-Windows Kerberos realm and a Windows Server domain.

  D: The resources that are to be shared are in the contoso domain. References: Trust types