Exam Code: 70-411
Exam Name: Administering Windows Server 2012 R2 Exam
Your network contains an Active Directory domain named contoso.com.
You need to create a certificate template for the BitLocker Drive Encryption (BitLocker) Network Unlock feature.
Which Cryptography setting of the certificate template should you modify?
To answer, select the appropriate setting in the answer area.
Your network contains an Active Directory forest named contoso.com. The forest functional level is Windows Server 2012 R2. The forest contains a single domain.
You create a Password Settings object (PSO) named PSO1.
You need to delegate the rights to apply PSO1 to the Active Directory objects in an organizational unit named OU1.
What should you do?
A. From Active Directory Users and Computers, run the Delegation of Control Wizard.
B. From Active Directory Administrative Center, modify the security settings of PSO1.
C. From Group Policy Management, create a Group Policy object (GPO) and link the GPO to OU1.
D. From Active Directory Administrative Center, modify the security settings of OU1.
PSOs cannot be applied to organizational units (OUs) directly. If your users are organized into OUs, consider creating global security groups that contain the users from these Ous and then applying the newly defined finegrained password and account lockout policies to them. If you move a user from one OU to another, you must update user memberships in the corresponding global security groups.
Go ahead and hit “OK” and then close out of all open windows. Now that you have created a password policy, we need to apply it to a user/group. In order to do so, you must have “write” permissions on the PSO object. We’re doing this in a lab, so I’m Domain Admin.
Write permissions are not a problem : )
1. Open Active Directory Users and Computers (Start, point to Administrative Tools, and then click Active Directory Users and Computers).
2. On the View menu, ensure that Advanced Features is checked.
3. In the console tree, expand Active Directory Users and Computers\yourdomain\System\Password Settings Container
4. In the details pane, right-click the PSO, and then click Properties.
5. Click the Attribute Editor tab.
6. Select the msDS-PsoAppliesTo attribute, and then click Edit.
Your network contains an Active Directory forest named contoso.com. The forest contains two domains named contoso.com and childl.contoso.com. All domain controllers run Windows Server 2012 R2. The domain contains four domain controllers.
The domain controllers are configured as shown in the following table.
You open Active Directory Users and Computers on a client computer and connect to DC1.
You display the members of a group named Group1 as shown in the Group1 Members exhibit. (Click the Exhibit button.)
When you view the properties of a user named Userl02, you receive the error message shown in the Error exhibit. (Click the Exhibit button.)
The error message does not display for any other members of Group1.
You need to identify which domain controller causes the issue shown in the error message. Which domain controller should you identify?
The infrastructure master for a domain periodically examines the references, within its replica of the directory data, to objects not held on that domain controller. It queries a Global Catalog server for current information about the distinguished name and SID of each referenced object. If this information has changed, the infrastructure master makes the change in its local replica and also replicates the new values to other domain controllers within the domain.
The error hints the object reference is not updated in Infrastructure Master of Contoso.com domain.
Your network contains an Active Directory domain named adatum. com. The domain
contains a file server named Server1 that runs Windows Server 2012 R2.
All client computers run Windows 7.
You need to ensure that user settings are saved to \\Server1\Users\.
What should you do?
A. From a Group Policy object (GPO), configure the Folder Redirection settings
B. From the properties of each user account, configure the Home folder settings
C. From the properties of each user account, configure the User profile settings
D. From a Group Policy object (GPO), configure the Drive Maps preference.
If a computer is running Windows 2000 Server or later on a network, users can store their profiles on the server. These profiles are called roaming user profiles.
You have a server named Server1 that runs Windows Server 2012 R2. Server1 has two network adapters and is located in a perimeter network.
You need to configure Server1 as a network address translation (NAT) server.
Which node should you use to add the NAT routing protocol?
To answer, select the appropriate node in the answer area.
You have a server named Server5 that runs Windows Server 2012 R2. Servers has the Windows Deployment Services server role installed.
You need to ensure that when client computers connect to Server5 by using PXE, the computers use an unattended file.
What should you configure?
To answer, select the appropriate tab in the answer area.
Your network contains a server named Server1 that has the Network Policy and Access Services server role installed. All of the network access servers forward connection requests to Server1. You create a new network policy on Server1.
You need to ensure that the new policy applies only to connection requests from Microsoft RAS servers that are located on the 192.168.0.0/24 subnet.
Which two configurations should you perforin?
(Each correct answer presents part of the solution. Choose two.)
A. Set the MS-RAS Vendor ID condition to $teelHead.
B. Set the Called Station ID constraint to 192.168.0.
C. Set the Client IP4 Address condition to 192.168.0.0/24.
D. Set the MS-RAS Vendor ID condition to ^311$.
E. Set the Called Station ID constraint to 192.168.0.0/24.
F. Set the Client IP4 Address condition to 192.168.0.
D: MS-RAS-Vendor Matches “^311$” ) The condition means that the policy applies only when the version of the RADIUS client is ^311$, so subsequent settings in this policy apply only to RRAS machines.
F: Client IPv4 Address
Specifies the Internet Protocol (IP) version 4 address of the RADIUS client that forwarded the connection request to the NPS server.
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1. Server1 is configured as a VPN server.
You need to configure Server1 to perform network address translation (NAT).
What should you do?
A. From Network Connections, modify the Internet Protocol Version 6 (TCP/IPv6) setting of each
B. From Routing and Remote Access, add an IPv4 routing protocol.
C. From Routing and Remote Access, add an IPv6 routing protocol.
D. From Network Connections, modify the Internet Protocol Version 4 (TCP/IPv4) setting of each
To configure an existing RRAS server to support both VPN remote access and NAT routing:
1. Open Server Manager.
2. Expand Roles, and then expand Network Policy and Access Services.
3. Right-click Routing and Remote Access, and then click Properties.
4. Select IPv4 Remote access Server or IPv6 Remote access server, or both.
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that has the Remote Access server role installed. DirectAccess is implemented on Server1 by using the default configuration.
You discover that DirectAccess clients do not use DirectAccess when accessing websites on the Internet.
You need to ensure that DirectAccess clients access all Internet websites by using their DirectAccess connection.
What should you do?
A. Disable the DirectAccess Passive Mode policy setting in the DirectAccess Client Settings Group
Policy object (GPO).
B. Configure a DNS suffix search list on the DirectAccess clients.
C. Enable the Route all traffic through the internal network policy setting in the DirectAccess Server
Settings Group Policy object (GPO).
D. Configure DirectAccess to enable force tunneling.
With IPv6 and the Name Resolution Policy Table (NRPT), by default, DirectAccess clients separate their intranet and Internet traffic as follows:
– DNS name queries for intranet fully qualified domain names (FQDNs) and all intranet traffic is exchanged over the tunnels that are created with the DirectAccess server or directly with intranet servers. Intranet traffic from DirectAccess clients is IPv6 traffic.
– DNS name queries for FQDNs that correspond to exemption rules or do not match the intranet namespace, and all traffic to Internet servers, is exchanged over the physical interface that is connected to the Internet. Internet traffic from DirectAccess clients is typically IPv4 traffic.
In contrast, by default, some remote access virtual private network (VPN) implementations, including the VPN client, send all intranet and Internet traffic over the remote access VPN connection. Internet-bound traffic is routed by the VPN server to intranet IPv4 web proxy servers for access to IPv4 Internet resources. It is possible to separate the intranet and Internet traffic for remote access VPN clients by using split tunneling. This involves configuring the Internet Protocol (IP) routing table on VPN clients so that traffic to intranet locations is sent over the VPN connection, and traffic to all other locations is sent by using the physical interface that is connected to the Internet.
You can configure DirectAccess clients to send all of their traffic through the tunnels to the DirectAccess server with force tunneling. When force tunneling is configured, DirectAccess clients detect that they are on the Internet, and they remove their IPv4 default route. With the exception of local subnet traffic, all traffic sent by the DirectAccess client is IPv6 traffic that goes through tunnels to the DirectAccess server.
Your network contains an Active Directory domain named contoso.com. The domain contains a read-only domain controller (RODC) named RODC1.
You create a global group named RODC_Admins.
You need to provide the members of RODC_Admins with the ability to manage the hardware and the software on R0DC1. The solution must not provide RODC_Admins with the ability to manage Active Directory objects.
What should you do?
A. From Active Directory Users and Computers, run the Delegation of Control Wizard
B. From a command prompt, run the dsadd computer command
C. From Active Directory Users and Computers, configure the Managed By settings of the RODC1 account.
D. From Active Directory Site and Services, configure the Security settings of the RODC1 server object.
Modify the Managed By tab of the RODC account properties in the Active Directory Users and Computers snap-in, as shown in the following figure. You can click Change to change which security principal is the delegated RODC administrator. You can choose only one security principal. Specify a security group rather than an individual user so you can control RODC administration permissions most efficiently. This method changes the managedBy attribute of the computer object that corresponds to the RODC to the SID of the security principal that you specify. This is the recommended way to specify the delegated RODC administrator account because the information is stored in AD DS, where it can be centrally managed by domain administrators.
Not A: You delegate administration of a domain or organizational unit by using the Delegation of Control wizard available in the Active Directory Users and Computers snap- in.
Not B: dsadd group just adds a group to the Active Directory
If you want to pass Microsoft 70-411 exam successfully, donot missing to read latest lead2pass Microsoft 70-411 dumps.
If you can master all lead2pass questions you will able to pass 100% guaranteed.