Microsoft 70-417 Online Practice Questions and Exam Preparation

Microsoft 70-417 Online Questions & Answers

• Question 191:

  Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2.

  On a server named Server2, you perform a Server Core Installation of Windows Server 2012 R2. You join Server2 to the contoso.com domain. You need to ensure that you can manage Server2 by using the Computer Management console

  on Server1.

  What should you do on Server2?

  A. Run the Disable-NetFirewallRule cmdlet.
  B. Run the Enable-NetFirewallRule cmdlet.
  C. Run sconfig.exe and configure the network settings.
  D. Run sconfig.exe and configure remote management.
  B. Run the Enable-NetFirewallRule cmdlet.

  ---

  As we can see on the following screenshot, Remote Management is enabled by default on a new Server Core installation of 2012 (so we don't have to configure it on Server2) BUT that's not enough as it only enables WinRM-based remote management (and computer management is not WinRM- based of course). To enable the remote management from an MMC (such as server manager, or computer manager), we have to enable exception rules in the Firewall, which can be done, amongst other ways, using Powershell and the Enable-NetFirewallRulecmdlet.

  

  http://technet.microsoft.com/en-us/library/jj554869.aspx Enable-NetFirewallRule Detailed Description The Enable-NetFirewallRulecmdlet enables a previously disabled firewall rule to be active within the computer or a group policy organizational unit. This cmdlet gets one or more firewall rules to be enabled with the Name parameter (default), the DisplayName parameter, rule properties, or by associated filters or objects. The Enabled parameter for the resulting queried rules is set to True.

• Question 192:

  HOTSPOT

  Your network contains one Active Directory forest named contoso.com.

  The forest contains a single domain.

  The domain contains the domain controllers is configured as shown in the following table.

  

  The forest contains a member server named Server1. Server1 has an IP address of 172.16.10.66.

  

  The forest has the following Active Directory subnet configuration.

  Use the drop down menus to select the answer choice that complete each statement.

  Hot Area:

  

  

  ---

  S1-172.16.10.66/26, /26 = 63 IP address, Site 2 is located in this subnet. You be automatically redirected on DC2 on your IP addressing.

• Question 193:

  You are an Active Directory administrator for Contoso, Ltd.

  You have a properly configured certification authority (CA) in the contoso.com Active Directory Domain Services (AD DS) domain. Contoso employees authenticate to the VPN by using a user certificate issued by the CA.

  Contoso acquires a company named Litware, Inc., and establishes a forest trust between contoso.com and litwareinc.com. No CA currently exists in the litwareinc.com AD DS domain.

  Litware employees do not have user accounts in contoso.com and will continue to use their litwareinc.com user accounts. Litware employees must be able to access Contoso's VPN and must authenticate by using a user certificate that is

  issued by Contoso's CA.

  You need to configure cross-forest certificate enrollment for Litware users.

  Which two actions should you perform? Each correct answer presents part of the solution.

  A. Grant the litwareinc.com AD DS Domain Computers group permissions to enroll for the VPN template on the Contoso CA.
  B. Copy the VPN certificate template from contoso.com to litwareinc.com.
  C. Add Contoso's root CA certificate as a trusted root certificate to the Trusted Root Certification Authority in litware.com.
  D. Configure clients in litwareinc.com to use a Certificate Policy server URI that contains the location of Contoso's CA.
  C. Add Contoso's root CA certificate as a trusted root certificate to the Trusted Root Certification Authority in litware.com.
  D. Configure clients in litwareinc.com to use a Certificate Policy server URI that contains the location of Contoso's CA.

  ---

  Publish the root CA certificate from the resource forest to the account forests

  References: http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx#Forest_Consolidation https://technet.microsoft.com/en-us/library/ff955845(v=ws.10).aspx https://technet.microsoft.com/en-us/library/dd851419.aspx https://social.technet.microsoft.com/wiki/contents/articles/14715.test-lab-guide-mini-module-cross-forest-certificate-enrollment-using-certificate-enrollment-web-services.aspx

• Question 194:

  Your network contains an Active Directory domain named contoso.com. The domain contains six domain controllers. The domain controllers are configured as shown in the following table.

  

  The network contains a server named Server1 that has the Hyper-V server role installed. DC6 is a virtual machine that is hosted on Server1.

  You need to ensure that you can clone DC6.

  Which FSMO role should you transfer to DC2?

  A. Rid master
  B. Domain naming master
  C. PDC emulator
  D. Infrastructure master
  C. PDC emulator

  ---

  The clone domain controller uses the security context of the source domain controller (the domain controller whose copy it represents) to contact the Windows Server 2012 R2 Primary Domain Controller (PDC) emulator operations master role holder (also known as flexible single master operations, or FSMO). The PDC emulator must be running Windows Server 2012 R2, but it does not have to be running on a hypervisor. http://technet.microsoft.com/en-us/library/hh831734.aspx

• Question 195:

  Your network contains an Active Directory forest named contoso.com.

  The forest contains two domains named contoso.com and child.contoso.com and two sites named Site1 and Site2. The domains and the sites are configured as shown in following table.

  

  When the link between Site1 and Site2 fails, users fail to log on to Site2.

  You need to identify what prevents the users in Site2 from logging on to the child.contoso.com domain.

  What should you identify?

  A. The placement of the infrastructure master
  B. The placement of the global catalog server
  C. The placement of the domain naming master
  D. The placement of the PDC emulator
  B. The placement of the global catalog server

  ---

  User logon. In a forest that has more than one domain, two conditions require the global catalog during user authentication:

  In a domain that operates at the Windows 2000 native domain functional level or higher, domain controllers must request universal group membership enumeration from a global catalog server. When a user principal name (UPN) is used at

  logon and the forest has more than one domain, a global catalog server is required to resolve the name.

  References:

  http://technet.microsoft.com/en-us/library/cc728188(v=ws.10).aspx

• Question 196:

  Your network contains an Active Directory domain named contoso.com. The domain contains three domain controllers. The domain controllers are configured as shown in the following table.

  

  You are creating a Distributed File System (DFS) namespace as shown in the exhibit.

  

  You need to identify which configuration prevents you from creating a DFS namespace in Windows Server 2008 mode.

  Which configuration should you identify?

  A. The location of the PDC emulator role
  B. The functional level of the domain
  C. The operating system on Server1 and Server3
  D. The location of the RID master role
  B. The functional level of the domain

  ---

  With DFS Namespaces (Distributed File System, Distributed File System) and the DFS Replication is simplified, enabling highly available access to files, load balancing and WAN-friendly replication. In the operating system Windows Server 2003 R2 Microsoft DFS Namespaces has (formerly known as DFS) revised and renamed, the DFS Management snap-in through the DFS Management snap-in replaces and introduced the new DFS Replication feature. In the operating system Windows Server 2008 Windows Server 2008 mode for domain-based namespaces as well as a number of improvements in terms of usability and performance have been added. With the DFS technologies WAN-friendly (Wide Area Network) replication and simplified, highly available access to geographically Distributed files allows. DFS includes these two technologies: DFS Namespaces Using DFS Namespaces You can shared folders located on different servers, are grouped into one or more logically structured namespaces. Each namespace is displayed to users as a single shared folder with a series of subfolders. With this structure, the availability is increased, and for user connections to shared folders on the same Active Directory Domain Services site are automatically prepared, if it is available. Users are therefore not routed over WAN links. DFS Replication DFS Replication is an efficient replication engine with multiple masters, with the folders between servers via network connections with limited bandwidth can be continuously synchronized. Thus, the FRS will File Replication Service (FRS) replaces a replication module for DFS Namespaces and for replication of the AD DS SYSVOL folder in domains that use the Windows Server 2008 domain functional level is used. Domain-based namespaces in Windows Server 2008 mode in Windows Server 2008 can domain-based namespaces in Windows Server 2008 mode are created. This support for access-based enumeration and increased scalability is activated. The 2000 Server introduced in Windows domain-based namespace is now referred to as "domain-based namespace (Windows 2000 Server mode)." To use the Windows Server 2008 mode, the domain and the domain-based namespace must meet the following minimum requirements: For the domain, the Windows Server 2008 domain functional level is used. On all namespace servers running Windows Server of 2008.

  References: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff633469(v=ws.10)

• Question 197:

  Your Network contains oneActive Directory domain named contoso.com. You pilot DirectAccess on the network.

  During the pilot deployment, you enable DirectAccess only for a group Contoso\Test Computers. Ones the pilot is complete, you need to enable DirectAccess for all the client computers in the domain.

  What should you do?

  A. From Windows PowerShell, run the Set-DAClient cmdlet.
  B. From Windows PowerShell, run the Set-DirectAccess cmdlet.
  C. From Active Directory Users and Computers, modify the membership of the Windows Authorization Access Group.
  D. From Group Policy Management, modify the security filtering of an object named DirectAccess Client Setting Group Policy.
  D. From Group Policy Management, modify the security filtering of an object named DirectAccess Client Setting Group Policy.

  ---

  References: http://technet.microsoft.com/en-us/library/jj574180.aspx http://technet.microsoft.com/en-us/library/hh918432(v=wps.630).aspx

• Question 198:

  HOTSPOT

  You have two servers that run Windows Server 2012 R2. The servers are configured as shown in the following table.

  

  You need to ensure that Server2 can be managed by using Server Manager from Server1.

  In the table below, identify which actions must be performed on Server1 and Server2.Make only one selection in each row. Each correct selection is worth one point.

  Hot Area:

  

  

  ---

  Modify the TrustedHosts list - Server1 Set the network profile to Private- Server2 Override the User Account Control (UAC) restrictions by using the LocalAccountTokenFilterPolicy registry entry - Server 2

  On the computer that is running Server Manager, add the workgroup server name to the TrustedHosts list.

  References: http://technet.microsoft.com/en-us/library/hh831453.aspx

• Question 199:

  You have a server named Server1 that has a Server Core installation of Windows Server 2008 R2. Server1 has the DHCP Server role and the File Server role installed. You need to upgrade Server1 to Windows Server 2012 with the

  graphical user interface (GUI).

  The solution must meet the following requirements:

  Preserve the server roles and their configurations.

  Minimize administrative effort.

  What should you do?

  A. On Server1, run setup.exe from the Windows Server 2012 installation media and select Server with a GUI.
  B. Start Server1 from the Windows Server 2012 installation media and select Server Core Installation. When the installation is complete, add the Server Graphical Shell feature.
  C. Start Server1 from the Windows Server 2012 installation media and select Server with a GUI.
  D. On Server1, run setup.exe from the Windows Server 2012 installation media and select Server Core Installation. When the installation is complete, add the Server Graphical Shell feature.
  D. On Server1, run setup.exe from the Windows Server 2012 installation media and select Server Core Installation. When the installation is complete, add the Server Graphical Shell feature.

• Question 200:

  You have a Direct Access Server named Server1 running Server 2012. You need to add prevent users from accessing websites from an Internet connection.

  What should you configure?

  A. Split Tunneling
  B. Security Groups
  C. Force Tunneling
  D. Network Settings
  C. Force Tunneling

  ---

  References: https://blogs.technet.microsoft.com/tomshinder/2010/03/30/more-on-directaccess-split-tunneling-and-force-tunneling/