70 411

Remote users connect to your network through a virtual private network [VPN] connection over
the Internet. One of the resources that they need to access is a file sewer named FS1. The antivirus
software on FS1 reports an attempted virus infection on the server. You trace it back to one of the
remote users. You need to minimize the chance of this happening in the future. You deploy
Network Access Protection [NAP] with Routing and Remote Access [RRAS]. You need to
configure the appropriate NAP health policy settings. Which two health policy settings should
you configure? [Each correct answer presents part of the solution. Choose two.]
The client computer has current antivirus updates installed.
The client computer has firewall software installed and enabled.
Microsoft Update Services is enabled on the client computer.
The client computer has antivirus software installed and running.
The client computer has antispyware software installed and running.
The client computer has current antispyware updates installed.
Which statement is correct about DirectAccess with Microsoft Windows Server 2012?
Permits remote users running Microsoft Windows Vista or Windows 7 to access network
resources with the launch of a virtual private network [VPN] connection.
Permits remote users running Microsoft Windows 7 or Windows 8 to access network resources
without having to open a virtual private network [VPN] connection.
Permits remote users running Microsoft Windows Vista or Windows 7 to access network
resources without having to open a virtual private network [VPN] connection.
Permits remote users running Microsoft Windows 7 or Windows 8 to access network resources
with the launch of a virtual private network NPN] connection.
Which three Network Policy Sewer [NPS]

templates can be configured in Templates
Management? [Choose three.]
VPN
RADIUS Clients
Shared Secrets
IP Filters
You are an engineer for a company that has an Active Directory Domain Services [AD DS] domain named
example. com. You are exploring the benefits of implementing Group Managed Service Accounts [gMSAs] in
your domain. You test setting one of the accounts up in your test domain named example. test. The domain
has a Windows Server 2012 server joined to it. You start with the best practice of creating a global security
group to hold the objects that are going to be managed. Next, you invoke this PowerShell [PS] cmdletz NewADServiceAccount -Name BillsCustomTask -DNSHostName BillsCustomTask. example.test Principals.AllowedToRetrieveManagedPassword "Domain Controllers" Then, you run the PS cmdlet, and
you get this error: Key Does Not Exist What should you do to eliminate this error?
You must install the KDS Root Key by running the cmdlet Get-KDSRootKey- EffectiveImmediately.
{gMSA}.
You must install the KDS Root Key by running the cmdt Install-AdServiceAccount {gMSA}.
You must create the KDS Root Key by running the cmdlet Add-KDSRootKey- EffectiveImmediately.
You must create the KMS Root Key by running the cmdlet Add-KMSRootKey-EffectiveImmediately.
The client computer has current antivirus updates installed.

The client computer has antivirus software installed and running.
You should configure these two policies:
The client computer has antivirus software installed and running. The client computer has
current antivirus updates installed.
This will cause NAP to evaluate the health of the remote client computer to determine if antivirus software
is installed and running and if the antivirus updates are current. This will help ensure that the client
computer is not virus-infected, which will help prevent the spread of viruses. If a computer fails the health
validation, you can configure NAP to either not allow the client access to the network or allow limited access
only. In many cases, you can configure automatic remediation, that is, have NAP take steps to correct the
problem automatically. In this situation, these policies are not required:
*The client computer has antispyware software installed and running.
*The client computer has current antispyware updates installed.
The problem reported was with a virus, not with spyware. In this situation, there is no reason to verify that
firewall software is installed and configured or if Windows Update Services are installed.
Permits remote users running Microsoft Windows 7 or Windows 8

to access network resources without having to open a virtual
private network [VPN] connection
DirectAccess, a feature in Windows Server 2012. allows you to
effortlessly access your company's network from an Internetequipped remote location without opening a [VPN] connection.
The end user must be running the Windows 7 or Windows 8
operating system to utilize Direct Access.
RADIUS Clients
Shared Secrets
IP Filters
These NPS templates can be configured in Templates Management:
*Shared Secrets
*RADIUS Clients
*Remote RADIUS Sewers
*lP Filters
*Health Policies
*Remediation Server Groups
You must create the KDS Root Key by running the cmdlet Add-KDSRootKeyEffectiveImmediately.
To use a gMSA, you must run the PS cmdlet Add-KDSFlootKey Effectivelmmdiately in the domain. This key is used by the Key Distribution
Service [KDS] on the domain controller to generate passwords. This is only
done once in the domain. Add-KMSRootKey -Effectivelmmediately is not a
valid PS cmdlet, and KMS is the Key Management Server used to activate
volume licensed Microsoft products. Install-AdServiceAccount {gMSA} does
not generate a KDS Root key but installs the gMSA on the server on which it
will be used. Get-KDSRootKey -Effectivelmmediate|y.{gMSA} is not the
correct PS cmdlet syntax.
SHA unable to contact required services
You are an engineer for a company that has an Active Directory Domain Services [AD DS]
domain. Your network has Network Access Protection [NAP] deployed on a Microsoft Windows
Sewer 2012 server. You are using Windows Security Health Agent [WSHA] to monitor your NAPcompliant client computers. This requires you to have the Security Center Service started. You
want to ensure that, if WSHA cannot generate a Statement of Health [SoH] because the Security
Center Service is not running, you get an error. You have the Windows Security Health Validator
[SHV] properties window open. What Error code resolution should you set to Noncompliant?
SHA unable to contact required services
SHA not responding to NAP Client
SHV unable to contact required services
SHV not responding
You should set SHA unable to contact required services to Noncompliant. The error SHA unable to contact
required services can occur if the Security Health Agent [SHA] is unable to successfully read the client
configuration. SHAs monitor on the configuration of the client computer and will submit a new SoH when
the configuration has been changed or when the previous SoH has expired. An SHA must be registered with
a NAP Agent to for it to work, and it must be initialized to provide an SoH. An SHA will attempt to provide
an SoH if there is a corresponding system health validator [SHV] enabled in a health policy on NPS. If an
SHA is not able to provide an SoH to the NAP Agent service, the client computer will be in a noncompliant
state if that particular SHA is required by Network policy. This can occur with the WSHA, if the Security
Center service is not started, or it can occur if an SHA is not properly registered or initialized. You should not
set SHV unable to contact required services to Noncompliant. This error can occur if NPS loses network
connectivity to a health requirement server that has been set up. You should not set SHA not responding to
NAP Client to Noncompliant. This error can occur if an SHA is not properly initialized and registered. You
should not set SHV not responding to Noncompliant. This error can occur if the performance of an SHV has
been degraded.
You are an engineer for a company that has an Active Directory Domain Services [AD DS]
domains Your network has Network Access Protection [NAP] deployed on a Microsoft Windows
Server 2012 server that is joined to the domain. You would like NAP to use Dynamic Host
Configuration Protocol [DHCP] enforcement on the NAP-compatible client computers.
Compliant client computers will gain unrestricted access to your network and be assigned an
IPv4 address in this range: 172.16.0.0/16. You must have the Noncompliant client computers
assigned a non-routable IPv4 address in this range: 192.168.200.0/24. When you boot up your
noncompliant test machine, you find that it received a DHCP address of 172.16.1.50/16. Why did
the test machine not get a noncompliant DHCP address?
You did not authorize the DCHP server in Active Directory [AD].
You did not specify NAP Enforcement Sewers Running DHCP Server.
You did not configure a DHCP scope for noncompliant client computers.
You did not select DHCP for your Network Connection Method.
You are the administrator for the Active Directory Domain Services [AD D3] domain corp.net.
All domain controllers are running Microsoft Windows Server 2012 and all client computers are
running a mix of Windows ? and Windows 3. You want to configure the client computers to use
microsoft.com as the default home page. You have configured a Group Policy obiect [GPO] with
the Preferences settings as shown in the exhibit and linked it to the correct Organizational Unit
[DU]. By inspection you discover that the settings do not take effect on the client computers. What
should you do?
Press F7 to activate the setting in Preferences.
You are the administrator for the Active Directory Domain Services [AD DS]
corp.net domain. The domain contains a Domain Controller [DC] named
dc1.corp.net and a Domain Name System [DNS] server named dns1.corp.net.
You are concerned that computers from visiting consultants could corrupt
your DNS with unnecessary records. You need to change settings to only allow
domain computers to register in DNS. You need to make the changes using the
least amount of administrative effort. What should you do?
Install DNS on the DC and configure Secure Only updates. Configure security
settings on the DNS server to only allow the domain computers to register.
Configure the DNS server to allow for Secure Only updates.
Configure the DNS server with scavenging.
You are the administrator for the Active Directory Domain Services [AD DS]
corp.net domain. The domain contains several domain controllers [DCs], all
running Microsoft Windows Server 2012. You have noticed that one of the DCs
has decreased in performance. To correct the problem and regain
performance on the DC, you decide to do an offline defragmentation of the
Active Directory database on the DC. What should you do?
Reboot the DC in Active Directory Restore Mode and use Disk
Defragmentation to defragment the database.
Stop AD DS and use Disk Defragmentation to defragment the database.
Use the metadata cleanup option in Ntdsutil.
Use the compact option in Ntdsutil.
You are the administrator for the Active Directory Domain Services [AD
DS] corp.net domain. The domain includes a domain contoller [DC]
named DC1.CORP.NET. Currently, DC1.CORP.NET is configured with
default settings for database and log file locations. You need to move the
log files to E:\Logfiles. Which Ntdsutil command should you use?
Holes
Local Roles
IFM
Files
You did not configure a DHCP scope for noncompliant client computers.
The most likely reason is that you did not configure a DHCP scope for
noncompliant client computers. Before you start assigning IPv4 addresses to
noncompliant client computers in the 192.168.200.0/24 range, you need to
configure a scope for that range. It is unlikely that you did not specify NAP
Enforcement Servers Running DHCP Server. You would have had to specify an
Enforcement server to get an IPv4 address. It is unlikely that you did not select
DHCP for your Network Connection Method. You would have had to configure
your Network Connection Method when you set up the Network Policy Server
[NPS]. It is unlikely that you did not authorize the DCHP server in the AD. The
server would not assign any IPv4 addresses if it had not been authorized in AD.

You should press F6. Notice the red dotted line in the Preference setting. This indicates that the
setting is disabled. To enable the setting you must press F6 and the red dotted line will change to
a solid green line indicating that the setting is active. You should not press F5. Notice the red
dotted line in the Preference setting. This indicates that the setting is disabled. Pressing F5 will
enable all settings and not only the setting for the default home page. You should not press F7.
Notice the red dotted line in the Preference setting. This indicates that the setting is disabled.
Pressing F7 will disable a single setting but, because they are all already disabled, this will not
change anything. You should not press F8. Notice the red dotted line in the Preference setting.
This indicates that the setting is disabled. Pressing F8 will disable all settings but, because they
are all already disabled, this will not change anything.
Install DNS on the DC and configure Secure Only updates.

You should install DNS on the domain controller and configure Secure Only updates. The Secure
Only updates feature has two functions. First, it ensures that only computers known to the AD DS
domain are allowed to register in the DNS zone. Second, it makes sure that only the original
registering computer may change a record in the DNS zone. For this to work, the DNS server
needs to be configured on a domain controller. You should not configure the DNS server to allow
for Secure Only updates. The configuration option Secure Only updates is only available if the
DNS server is configured on a domain controller. You should not configure security settings.
Security settings on the DNS server are only used to control who can change configurations on
the DNS server, not to control which computers can register their records in the DNS zone. You
should not configure scavenging. Scavenging is used to remove old records from the DNS zone. If
you use dynamic updates to register your computers in the DNS zone, this function can be used to
delete records if the computers have not been in contact with the DNS server for a certain period
of time.
Use the compact option in Ntdsutil.

You should use the compact option in Ntdsutil. In Ntdsutil there is an option in the file section
called compact. The compact command is used to compress and defragment the Active Directive
database. It does this in a process where it actually creates a new version of the database in
another location, after which you copy the new version back and overwrite the old one. Before
running the command, you need to stop AD DS. You should not use the metadata cleanup option.
The metadata cleanup option in Ntdsutil is used to clean up the database for orphaned objects. If
you have deleted a DC by simply removing it physically, the object for that DC will still exist in
the database. Using metadata cleanup, you can clean up the database for the no longer existing
object. You should not use Disk Defragmentation. Disk Defragmentation is only used to run a
defragmentation of files on the disk. It is not able to defragment the Active Directory database.
Files
You should use Files to move the log files to E:\Logfiles. Ntdsutil includes a command named
Files that can be used to move the Active Directory database and log files. The command "Move
logs to E:\Logfiles" in Files would move the log files of Active Directory to the new location. You
need to stop AD DS before attempting the move operation. You should not use Install From
Media [IF M] to move the log files to E:\Logfiles. IFM is used in the process of promoting a DC.
Normally, you would install a DC and it would begin replication of data from another DC. If you
prefer, you can set up a new DC and have it build the Active Directory Database from a backup
created on another DC by using the IFM option during the configuration process. You should not
use Local Floles to move the log files to E:\Logfiles. Local Roles is used on a Read-Only Domain
Controller [RODC] to assign specific local roles to members of the IT staff. Instead of adding a
local IT person to the Domain Admins group, you would use Local Roles to assign the desired
permissions. You should not use Holes to move the log files to E:\Logfiles. Roles is used to
transfer or size the different Flexible Single Master Operation [FSMO] roles in Active Directory.
You are the administrator for the Active Directory Domain Services [AD DS] domain corp.net.
running a mix of Windows ? and Windows 3. You have employed a new system administrator
named John. One of John's responsibilities is to do troubleshooting on all client computers. In
order to do troubleshooting, John needs to be a member of the local Administrators group on all
client computers. The company security policy states that no system administrator should be a
local administrator on client computers that he or she does not manage. You need to assign the
proper permissions and uphold the company security policy. What should you do?
Add John to the local Administrators security group on all client computers.
Have John add himself to the local Administrators security group on the client computer after
logon.
Add John to the Domain Admins security group.
Create a Group Policy Preference that adds the current user to the local Administrators group
and have it apply to John.
running Windows 8. The Active Directory domain contains two Active Directory Sites named US
and EU. You need to copy a special configuration file from a share on one of the file servers to the
root of the system drive on the client computers. The configuration file should be copied at first
Iogin and only exist on computers in the EU site. You have configured Group Policy Preferences
in a Group Policy object [GPO] and linked it to the Domain. You have configured all the General
settings. What settings shown in the exhibit should you enable? [Choose all that apply.]
Apply once and do not reapply
Item-level targeting
Remove this item when it is no longer applied
Stop processing items in this extension if an error occurs Run in logged-on user's security
context [user policy option]
You are the administrator for the Active Directory Domain Services [AD DS] domain corp.net. All domain
controllers are running Microsoft Windows Server 2012 and the client computers are all running Windows 7.
The user accounts for local IT support staff members are located in various Organizational Units [OUs] in
Active Directory. You need to configure a mapped drive for all the Local IT support staff members using the
least amount of administrative effort. All IT support staff members are members of a security group named
ITsupport. [The relevant portion of group policies is shown in the exhibit]. What should you do?
Create a Group Policy object [GPO] in the Group Policy Obiects container. Configure Preferences to create a
mapped drive and link the GPO to the HR, IT, and Sales OUs.
Configure a Group Policy object [GPO] linked to the domain. In the GPO configure Preferences to create a
mapped drive using Item-level targeting for the ITsupport security group.
Configure a Group Policy object [GPO] linked to the domain. In the GPO configure a logon script to create
the mapped drive and finally create a Windows Management Instrumentation N/Ml] script to only target
members of the ITsupport security group.
Configure a Group Policy obiect [GPO] in the Group Policy Obiects container. Configure a logon script to
create the mapped drive and link the GPO to all OUs containing IT support staff members.
DS] domain corp.net. All domain controllers are running Microsoft
Windows Server 2012. You need to create a backup of all Group Policy
obiects [GPOs] in the Active Directory domain. What tools can you use?
[Choose all that apply.]
The Group Policy Management Console
Windows Servert Backup
Gpedit.msc
Ntdsutil
The PowerShel| cmdlet Backup-GPO
All servers are running Microsoft Windows Server 2012 and all client computers are running
Windows XP SP1. You have configured 30 file servers with a locally attached scanner. The
software for the scanner needs a special configuration set for registry keys only found on each
file server. You decide to configure the registry keys through Group Policy Preferences. From your
client computer, you configure a Group Policy object and link it to the Organizational Unit [DU]
containing the file servers. What should you do next?
Run the New Registry Item with the Create action to configure the key.
Run the New Collection Item with the Create action to configure the key.
Run the New Registry Item with the Update action to configure the key.
Run the New Registry Wizard to configure the key.
Create a Group Policy Preference that adds the current user to the local Administrators group and have it
apply to John.
You should create a Group Policy Preference. In Group Policy Preference, you have the option to control
members of the local Administrators group. One of the configuration options is to add the current user [the
logged on user]. If you apply the Group Policy Preference to John, all client computers John logs on to will
add him to the local Administrators security group. You could use Item-level targeting to apply the Group
Policy Preference to John. You should not add John to the Domain Admins security group. Although this
would make John a member of the local Administrators security group, it would not comply with the
company security policy. since John would become a local Administrator on all client computers. You should
not add John to the local Administrators security group. This would not comply with the company security
policy. You should not have John add himself. In order to add user accounts to the local Administrators
group, you need administrative permissions on the local computer. In this case, if John is not already a
member of the local Administrators security group, he cannot control the members of it.
Item-level targeting
Remove this item when it is no longer applied
You should enable the setting Remove this item when it is no longer applied. If a user is moved from the EU
site to the US site, the file needs to be removed. This option will make sure that the file is deleted if the
Group Policy Obiect no longer applies to the user. You should enable Item-level targeting. You need the
group policy to apply to users in the EU site and this task can be accomplished by using Item~level targeting.
Item-level targeting is a form of Windows Management Instrumentation [WMI] where the group policy can
query the user for the current site and only apply the settings in the EU site. You should not enable the
setting Apply once and do not reapply, as the file only needs to be copied once when using this option. If
the user accidentally deletes the file, it will not be copied again from the file server. You should not enable
the setting Stop processing items in this extension if an error occurs. Although this will do no harm in this
case, it will not solve the task. You should not enable the setting Run in logged-on users' security context
[user policy option]. There are two security contexts in which Group Policy applies user preferences: the
SYSTEM account and the logged-on user. By default, Group Policy processes user preferences using the
security context of the SYSTEM account. But sometimes it can be useful to run the processes using the user
security; for example, in cases where the system does not have adequate permissions.
Configure a Group Policy object [GPO] linked to the domain. In the GPO configure Preferences to create a
mapped drive using Item-level targeting for the ITsupport security group.
You should configure Preferences with Item-level targeting. Although you can create a script to deploy the
mapped drive, Windows 2012 and Windows 7 support the use of Preferences where the function to map a
drive is built in. Because the members of the IT support staff are distributed in the Active Directory, you
should use Item-level targeting to only target the members of the lTsupport security group. You should not
create a script and use a Wt-all filter. Although this would be possible, it is not the easiest way to accomplish
the task. As noted, Windows 2012 and Windows 7' support the use of Preferences where the function to
map a drive is built in. You should not create a script and link the GPO to all OUs. Linking the GPO to all
OUs without any form of filter would cause the GPO to create the mapped drive for all users in all OUs. You
should not use Preferences and link the GPO to the HR, IT, and Sales OUs. Although Preferences would be
the correct way to deploy the mapped drive, creating it without using Item-level targeting would force the
GPO to create the mapped drive for all users and not only members of the lTsupport security group.
The Group Policy Management Console

The PowerShel| cmdlet Backup-GPO
You should use the Group Policy Management Console [GPMC]. The GPMC is the primary tool
for creating and managing GPOs. The Group Policy Obiects container in the GPMC contains all
GPOs for the Active Directory domain and can be used to back up all or individual GPOs. You
could also use Backup-GPO. Backup-GPO is a PowerShell cmdlet used to create backups of
GPOs. It can be used to back up a single GPO or, using the -All switch, create a backup of all
GPOs. You should not use Windows Server Backup. Although Windows Server Backup can create
a backup of Active Directory using the systemstate backup function, it does not have a specific
option to create backups of GPOs. You should not use ntdsutil. Ntdsutil is a command line tool
used to perform maintenance of the Active Directory database. It does not have a specific option
to back up or restore GPOs. You should not use gpedit.msc. Gpeditmsc is a tool used to configure
the local group policies for a single computer. It does not include any options to back up GPOs
stored in Active Directory.
Run the New Registry Wizard to configure the key.

You should use the Registry Wizard. When creating new registry settings using Group Policy
Preferences, the normal process is that the keys are derived from the local machine. Only the
Registry Wizard can collect registry key configurations from other machines. Since the keys are
only found on the file servers, this is the only option. You should not run the New Registry Item
with the Update action. The New Registry Item function will only collect keys from the local
machine and not the keys found on a file server. You should not run the New Collection Item with
the Create action. The Collection Item function is just a collection of registry keys and as such
cannot be used to configure any settings directly. You should not run the New Registry Item with
the Create action. The New Registry Item function will only collect keys from the local machine
and not the keys found on a file server. Whether you use the Update or Create action in this case
does not matter.
Run Group Policy Modeling.

The domain is configured as a single domain forest. All domain controllers are running
Microsoft Windows Sewer 2012 and all client computers are running Windows XP SP2. You
have been assigned the task of moving a large number of user accounts from the New York HR
Organizational Unit [OU] to the New York Sales OU. You need to determine the group policy
settings that will affect the users after the move operation. The relevant configurations in Group
Policy Management Console are shown in the exhibit. What should you do?
Run Group Policy Results.
On the domain controller, run rsop.msc.
On the domain controller, run gpresult.
Run Group Policy Modeling.
DS] domain named corp.net. All domain controllers are running
Microsoft Windows Server 2012 and all client computers are running
Windows ?. You need to reset the Default Domain group policy settings.
What tool should you use?
Gpedit.msc
Gpupdate
Dcgpofix
Gpfixup
Gpresult
You should run Group Policy Modeling. Group Policy Modeling is a feature in the Group Policy
Management Console [GPMC] that you can use to run a modeling of what would happen if you
move users or computers from one location in the Active Directory domain to another. Group
Policy Modeling does not move any objects, it only generates a report. You should not run Group
Policy Results. Group Policy Results is a feature in the GPMC that allows you to remotely
generate a report of all the group policy settings applied to a user or computer at last logon. You
should not run gpresult. Gpresult is a tool to determine the effective group policy settings that
were applied the last time a user logged on or a computer booted up. The tool is run locally and
only shows the group policy settings that are already in effect. You should not run rsop.msc.
Rsop.msc is a graphical version of gpresult, and just like gpresult, it can only be used to create a
report of what group policy settings are in effect, not what will happen if you move a user or
computer object in Active Directory.
Dcgpofix
You should use dcgpofix. Dcgpofix can be used to restore the two default group policies. If you
run dcgpofix /ignoreschema /target:Domain you will restore the default domain policy. If you
run dcgpofi:-r iignoreschema .-'target:DC you will restore the default domain controller policy.
You should not use gplirvrup. Gpfir-rup is used to fix group policy dependencies after a domain
rename operation has been performed. You should not use gpresult. Gpresult is used to assess the
resultant set of policies applied to a computer or user in any case where multiple policies apply
to the same computer or user. You should not use gpedit.msc. l3pedit.msc is a tool used to
configure the local group policies set on a user or computer. You should not use gpupdate.
Gpupdate is used to update the group policy settings applied to a user or computer. Flun it with
the ./force switch and you can force an update of settings even if they have not been changed on the
domain controller.
Link the Desktop Settings GPO to the New Yolk Sales DU

You are the administrator for the Active Directory Domain Services corp.net domain. A Group
Policy object [GPO] for the domain has been configured as shown in the exhibit. Users in the New
York Sales Organizational Unit [DU] report that they are not receiving the same settings for the
desktop as their colleagues in the other sales locations. You need to solve the problem using the
least amount of administrative effort and without applying excessive policy settings to the New
York Sales DU. What should you do?
Create a new GPO for the New York Sales OU and configure the desktop settings.
Force a Group Policy update on the New York Sales OU. Link the Desktop Settings GPO to the
New Yolk Sales DU. Remove the Block Inheritance from the New York Sales OU.
You are the administrator for the Active Directory Domain Services corp.net
domain. All domain controllers in the domain are running Microsoft Windows
Server 2012. You are in the process of configuring a Password Settings Obiect
[PSO] in ADSI Edit as shown in the exhibit. You need the PSO to apply to a
security group named SalesManagers that is located in the Sales
Organizational Unit [OU]. What should you enter as DN in the exhibit?
dc=net,dc=corp,ou=sales,cn=salesmanagers
dn=salesmanagers,ou=sales,dc=corp.dc=net
cn=salesmanagers,cn=sales,dc=corp,dc=net
cn=salesmanageIs,ou=sales,dc=corp,dc=net
You are the administrator for the Active Directory Domain Services corp.net domain. Domain
Controller [DC] configuration and domain password settings are shown in the exhibit. You
discover that members of the research department are reusing their old passwords when they are
required to change them. You do not want to make any changes to other users' password
requirements, but you to want to ensure that research users cannot reuse their old passwords.
You need to make the changes using the least administrative effort. What should you do?
Create a new Password Settings Object [PSO] in the corp.net domain and apply it to the research
users.
Create a new Organizational Unit [DU] for the research users. Create a new Group Policy object
[GPO] with the password requirements for the research users and link it to the OU.
Configure all DCs as global catalog servers. Create a new Password Settings Obiect [PSO] in the
corp.net domain and apply it to the research users.
Create a child domain in corp.net, assign new password settings for the domain. and move all
research users to that domain.
You should link the GPO. The New York Sales OU has block inheritance enabled. This has the
effect that only GPOs directly linked to the OU or GPOs with Enforced configured will be applied
on the users and computers in the New York Sales OU. You should not remove Block Inheritance.
If you remove Block Inheritance, you allow all GPOs higher up in the domain structure to be
applied to users and computers in the New York Sales OU. In this case, the BitLocker GPO will
also be applied. You should not create a new GPO. Although this would work, the effort required
to create and maintain the new GPO is higher than simply linking the existing GPO. Linking
GPOs is not always the best solution, especially in situations where you have slow network
connections. You should not force an update. Forcing an update of GPOs forces the users and
computers to ignore version numbers on the GPOs. This process is used if there are some
configurations that have not applied to users or computers. However, in this case, there is a Block
Inheritance on the OU. Forcing an update will have no effect.
cn=salesmanageIs,ou=sales,dc=corp,dc=net
You should enter cn=salesmanagers,ou=sales,dc=corp,dc=net. Distinguished Name [DN] is the
full name of an object located in Active Directory. The name is put together of three elements:
dc=domain component, ou=organizational unit, and cn=canonical name. Simply put, you use do
when it is part of the domain name, ou when it is the name of an DU, and on for all other entries.
The name is written from bottom to top. ending with the domain name. You should not enter
dc=net,dc=corp,ou=sales,cn=salesmanagers. This places the components in the wrong order.
You should not enter cn=salesmanagers,cn=sales,dc=corp,dc=net. You should use ou, not on, for
the sales parameter. You should not enter dn=salesmanagers,ou=sales,dc=corp.dc=net. DH is
the full name of an object located in Active Directory, not one of thee components of the name.
Create a child domain in corp.net, assign new password settings for the domain. and move all research users
to that domain.
You should create a child domain. Password settings are normally only set in the Default Domain Policy
GPO. With the arrival of Microsoft Windows Server 2008, administrators had the ability to create PSO
objects to make different password settings for the user in the domain. However, to create PSO objects, you
need all DCs to be running at least Microsoft Windows Server 2008. If not. the only option for different
password settings is to create multiple domains, each with its own password settings. You should not create a
new PS0 obiect. The creation of PS0 objects requires that all domain controllers are running at least
Microsoft Windows Server 2008. With DC4 still running Microsoft Windows 2000 Server, the only thing you
can do is create a new domain for the research users. You should not create a new OU. Although it is possible
to configure password settings in any GPO, the only place where domain password settings can be changed
is in a GPO linked to the domain. If you link it to an 0U, the settings only affect locally created user accounts
on those computers to which the GPO applies. You should not configure global catalog servers. Global
catalog is an option that you can choose to enable on DCs. The main function of the global catalog is to
respond to queries across domains in your forest. lt is also responsible for maintaining the Universal group
membership list.
Create a Shadow Group.

You are the administrator for the Active Directory Domain Services corp.net domain. The
domain consists of domain controllers all running Microsoft Windows Sewer 2012. You need to
create a set of special password policies for the users located in an Organizational Unit [DU]
named Research. You need the password settings to take effect on all user accounts moved to the
Research DU. What should you do?
Create a Password Settings Obiect [PSO] and apply it to the Research OU.
Create a security group for all the users in the Research OU and apply a PSO to it.
Create a Shadow Group.
Create a Group Policy obiect [GPO] with the password settings and link it to the Research OU.
domain consists of domain controllers running Microsoft Windows Server 2012 and client
computers running Windows ?. You are configuring a Group Policy object [GPO] to deploy
Adobe Reader to all users in the domain at first logon. You have created the GPO as shown in the
exhibit. You need to configure the installation to run without any user interaction. What should
you do?
Enable the option Do not display this package in the Add/Remove Program control panel.
Change the Deployment type to Published.
Change the Installation user interface options to Basic. Enable the option Uninstall this
application when it falls out of the scope of management.
You are the administrator for the Active Directory Domain Services
corp.net domain. The domain contains a Domain Name System
[DNS] server running Microsoft Windows Server 2012. You need to
congure a new host record on the DNS server. which tool should
you use?
Dnscmd
Ipconfig
NSLookup
DNSLint
domain. The domain contains a main office and five branch offices. In the
main office you have deployed two domain controllers [DCs] and in each of the
branch offices you have deployed one Read Only Domain Controller [RUDE].
You need to configure each of the branch offices so that the RUDE in the
branch office is caching membership of Universal groups. Which tool should
you use?
Active Directory Administrative Center
Active Directory Sites and Services
Active Directory Users and Computers
Active Directory Domains and Trusts
You should create a Shadow Group. A Shadow Group is not a group that you create in Active
Directory. A Shadow Group is more of a concept. First, create a security group. Then, create a
PS0 that applies to the security group. At the end, create a scheduled script that adds all members
of the OU to the security group. You should not apply a PS0 to the Research OU. You can only
apply a PS0 to a security group or an individual user account, not to an OU. You should not
create a GPO. You can only specify the domain password setting in a GPO and this can only be
linked to the root of the domain. Although you can specify password settings in other GPOS, these
settings will only affect local user accounts on computers to which the GPO applies and not the
domain user accounts. You should not create a security group. Although this is part of the
solution, only creating the security group will not make all user accounts in the Research OU
members of the security group. You also need to create a scheduled script that adds all user
accounts in the OU to the security group. By adding all user accounts in the OU to the security
group, you create a Shadow Group.
Change the Installation user interface options to Basic.

You should change the Installation user interface options to Basic. This setting determines how
much input the user is required to give. If you change it to Basic, all options during the
installation that already have a default setting will assume that default setting is the correct one
and not prompt the user. You should not change the Deployment type. Published applications will
not be installed at logon. They will appear in the Add/Remove section in the Control Panel and
the user can choose to install it from there. You should not enable the Uninstall option. This
option is used to control whether an application should be uninstalled if the user or computer is
moved to a location in Active Directory where it is no longer managed by the GPO that
distributed the application. You should not enable the Do not display option. By enabling this
option, you would remove the users' ability to install the application from the Control Panel.
Dnscmd
You should use Dnscmd, which is the command-line tool for the DNS server. It can be used to
configure many aspects of the DNS server, including creating new records. The command
Dnscmd /recordadd corp.net server1 a 192.168.1.10 would add the Host [A] record
server1.corp.net with the IP address 192.168.1.10 to the DNS server. You should not use DNSLint.
DNSLint is a tool to create reports and run diagnostics on a DNS server. You should not use
lpconfig. Although lpconfig has some command switches related to DNS, it cannot be used to
configure any settings on the DNS server. The tool can only be used as a client computer tool. You
should not use NSLookup. NSLookup is a tool used to query a DNS server for records. It could be
used to query a DNS server for mail server records or service records. The tool cannot be used to
do any form of conguration on a DNS server.
Active Directory Sites and Services

You should use Active Directory Sites and Services. The caching of Universal group membership
is enabled on each site. To enable it, you need to go into Active Directory Sites and Services and
enable it under properties for NTDS site settings. You should not use Active Directory Users and
Computers. You use Active Directory Users and Computers to configure settings for objects such
as users, computers, and groups. The caching of Universal group membership is a function that
is enabled for the entire site. Therefore, you need to use Active Directory Sites and Services. You
should not use Active Directory Domains and Trusts. You use Active Directory Domains and
Trusts to configure trust relationships between Domains and other Forests. You should not use
Active Directory Administrative Center. Active Directory Administrative Center is a Powershellbased GUI interface to administer Active Directory. In Windows Server 2012, Microsoft has
added new features such as Password Settings Objects and the Active Directory Recycle Bin.
Decrease the Time To Live [TTL] on the web servers' records.
domain contains a web server farm of ten web sewers. All the web servers are congured in the
Domain Name System [DNS] server with the name web.corp.net. At times, you discover that if
you need to make changes to the web servers, some users have problems connecting to the web
servers if the web server that you are making changes to is offline. You need to make sure that if
you take one web server offline, another can respond to the user without too much down time.
What should you do?
Increase the Time To Live [TTL] on the web servers' records.
Decrease the Time To Live [TTL] on the web servers' records.
Decrease the Time To Live [TTL] on the Start of Authority [SOA] record.
Congure each web server with its own name instead of web.corp.net.
You should decrease the TTL for the web servers' records. The problem in this case is that, whenever a user
queries the DNS server for the name web.corp.net, the DNS server returns an IP address for the server next
in line to respond. However, if the IP address is already in the DNS cache on the client computer, the
computer does not try to query the DNS server and uses the local cache instead. By decreasing the TTL for
the records, you can force the client computers to not use the local cache for too long. This allows for
querying the DNS sewer more often. You should not increase the TTL. Increasing the TTL on the web server
records results in the IP address for the web server being cached for a longer period of time on the client
computer. This does not help you with the problem. You need to have the records cached for a shorter
period of time. You should not configure the web servers with their own names. The servers are configured
with the same name, web.corp.net, which enables round robin on the DNS server. This makes it easier for the
users to access the servers. Changing the names does not change the period of time that an individual
server's IP address is cached on the client computers. You should not decrease the TTL on the SBA record.
The SOA record is the record that holds configuration information for a given zone in the DNS. Changing
the TTL for this record only influences how long this record is cached on computers and not the records for
the web servers.
corp.net domain. The domain contains an Organizational Unit
[DU] names Sales. Currently, there are two Group Policy objects
[GPO] linked to the DU. You need to change the precedence order
of the two GPOs. What should you do?
Use the command Gpedit.msc.
Use the command Gpresult.
Use the PowerShe|l cmdlet Set-GPInheritance.
Use the PowerShell cmdlet Set-GPLink.
Use the PowerShell cmdlet Set-GPLink.

You should use the PowerShell cmdlet Set-GPLink. GPOs can be linked to an OU or inherited
from higher up in the domain structure. Inherited GPOs follow this precedence order: Site then
Domain then OU. In case of a conflict in settings, the last set GPO wins. If you link GPOs, you can
change the order in which they apply. You can use the Group Policy Management console or the
PowerShell cmdlet Set-GPLink. You should not use Set-GPInheritance. This cmdlet is used to
control whether or not inheritance of GPO settings are enabled on a domain or DU. If you use the
command to block inheritance on an DU, only GPOs higher up in the domain structure with the
option Enforced set will be applied to the DU. You should not use Gpresult. Gpresult is a
diagnostic command to determine the Resultant Set of Policies [RSOPs] applied to a user or
computer. You can also use the command RSOP.msc to perform this task. You should not use
Gpeditmsc. Gpeditmsc is used to configure the local GPO settings on a computer.
Configure slow link detection.

domain contains domain controllers [DCs] running Microsoft Windows Server 2012 and client
computers running Windows ? and 3. The domain is distributed among one main office and
three branch offices as shown in the exhibit [communication links are measured in kilobits per
second [Kps]]. All DCs are located in the main office. You configure a Group Policy obiect [GPU]
and link it to the root of the domain. The GPO is configured to install a preparatory application
to all computers in the domain. You discover that some users do not receive the application.
What should you do?
On the affected computers, run gpupdate /force.
On the Organizational Units [OUS] containing the affected computers, run Group Policy Update.
Configure slow link detection.
Run the command Invoke-GPUpdate.
domain contains domain controllers running Microsoft Windows Server 2012 and client
computers running Windows 3. You have deployed Microsoft Office 2010 using a Group Policy
object [GPO] linked to the root of the domain. After a few days, you discover that when domain
users save documents in Word 2010 using the default save location, the documents are not saved
on the users' home drive but on the local computer. You need to change the setting on all client
computers using the least amount of administrative effort. What should you do?
Create an answer file for the Office 2010 installation including the correct file location and
redeploy the Office 2010 installation using a GPO linked to the root of the domain.
Add the ADMX files for Office 2010 to the Group Policy Management Console and change the file
location settings in a GPO linked to the root of the domain.
Configure a GPO with folder redirection for the Documents folder and link it to the root of the
domain.
Reconfigure all computers manually to save documents in the correct location.
domain contains domain controllers running Microsoft Windows Server 2012 and client
computers running Windows 8. You need to configure the computers belonging to members of
the Sales security group to store all documents in the Documents folder on a file sewer in the
domain. The members of the Sales security group are located in different Organizational Units
[OUs] in the domain. Your solution should only store files from the Documents folder on the file
server. What should you do?
Create a Group Policy object [GPO], link it to the domain, and configure Basic folder redirection.
In Active Directory Users and Computers, configure each member of the Sales security group
with a roaming profile. Create a Group Policy object [GPO], link it to the OUs that contain
members of the Sales security group, and configure Basic folder redirection.
Create a Group Policy object [GPO], link it to the domain, and configure Advanced folder
redirection.
domain. The domain contains five Domain Name System [DNS] servers, all
configured to run on Microsoft Windows Server 2012 domain controllers. By
inspection, you notice that the corp.net zone on the DNS server contains many
old records from computers that are no longer part of the domain You need
to delete the old records using the least administrative effort. What should you
do?
Decrease the TTL on the DNS servers.
Decrease the Minimum [default] TTL.
Configure scavenging on the DNS servers.
In the SOA record, configure Expires after one day.
You should configure slow link detection. By default, slow link detection is configured to 500
Kps so any application configured to be deployed through group policies will only be applied if
the connected speed is higher than 500 Kps. The link speed in branch offices 2 and 3 is below 500
Kps. So, in order for the application to be deployed, you need to change the slow link detection to
250 Kps or lower. You should not run gpupdate /force. The command gpupdate /force will force
the affected computer to apply all group policies, even if they have not been changed. In this case.
the speed of the link is the problem so running the command will have no effect. You should not
run Group Policy Update. The option to run Group Policy Update from the Group Policy
Management Console is a new function in Windows Server 2012, but in this case, the problem is
the link speed to the branch offices, so updating the group policies will have no effect. You should
not run Invoke-GPUpdate. The option to invoke an update of group policies on all computers in
the domain remotely is a new function in Windows Server 2012. But in this case, the problem is
the link speed to the branch offices, so updating the group policies will have no effect.
Add the ADMX files for Office 2010 to the Group Policy Management Console and change the file
location settings in a GPO linked to the root of the domain.
You should use the ADMX files. You can download ADMX files from the Microsoft website and
add them to the administrative section of group policies. Doing this will add the option to change
almost all of the settings in the different products of the Office package. You should not configure
folder redirection. Although configuring folder redirection for the Documents folders would
redirect all documents stored in Word 2010, it would also redirect all other files stored in the
Documents folder on each user's computer. You should not create an answer file. Using an
answer file for an Office installation is only an option during the installation. After the
installation, you should use ADMX files in group policies to change settings in the Office
installation. You should not reconfigure all computers manually. Although it is possible to
change the setting by doing it manually, it would simply take too much time.
Create a Group Policy object [GPO], link it to the domain, and configure Advanced folder redirection.
You should configure Advanced folder redirection. Folder redirection can be configured for a number of
different folders including the Documents folder. It has two main settings: Basic and Advanced. Basic
settings will redirect all users' documents if the GPO applies to them. Advanced will redirect all users'
documents if the GPO applies to them, but on a security group membership basis. You should not configure
Basic folder redirection. Basic folder redirection configured in a GPO linked to the domain will redirect all
users' documents to the file server, not only those belonging to members of the Sales security group. You
should not configure roaming profiles. Although a roaming profile would include the Documents folder and
its content, it would also redirect all other aspects of the user's profile, such as settings on the desktop and
the Start menu. You should not link a GPO to all OUs that contain members of the Sales security group and
configure Basic folder redirection. Configuring Basic folder redirection in a GPO linked to an OU will redirect
all users' documents in that OU to the file server and not only those belonging to members of the Sales
security group.
Configure scavenging on the DNS servers.

You should configure scavenging. Scavenging is the process of cleaning up old records that have been added
dynamically to the DNS server. When you configure scavenging, you configure a no-refresh interval. A norefresh interval occurs when the DNS does not change anything regarding the record. The refresh interval is
the interval in which the DNS server renews the registration of a record. Put the two numbers together and
you get the amount of time before a record is deleted from the DNS server if there has been no further
contact. You should not decrease the TTL. Time To Live [TTL] is a configuration that determines how long a
record is cached in the local cache on the client computers. This setting has nothing to do with how long a
record exists on the DNS server. You should not decrease the Minimum [default] TTL. This setting
determines the default Time To Live that new records on the DNS server should have. This setting only
affects the amount of time a record is cached in the local cache on client computers. You should not
configure Expires after in the SOA record. This configuration is only used to control how DNS servers holding
secondary zones should behave when they try to initiate a zone transfer from a primary DNS server.
You are the administrator for the Active Directory Domain Services corp.net domain. The domain contains
four servers, all running Microsoft Windows Server 2012. They have been configured with the networking
services as shown in the exhibit. You need to configure a new forward lookup zone named corporate.net.
Users in the domain should be able to resolve names for the corporate.net zone on all Domain Name System
[DNS] servers. You need to enable name resolution for corporate.net on all DNS servers using the least
administrative effort. What should you do?
On DC1, create the zone as a Primary zone. Configure zone transfer to DC2, SERVER1, and SERVER2.
Create a secondary zone for corporate.net on DC2, SERVER1, and SERVER2.
On DC1, create the zone as an Active Directory-integrated zone. Configure zone transfer to SERVER1 and
SERVER2. Then, create a secondary zone for corporate.net on SERVER1 and SERVER2.
On DC1, create the zone as an Active Directory-integrated zone.
On DC1, create the zone as an Active Directory-integrated zone. Configure zone transfer to DC2, SERVER1
and SERVER2. Create a secondary zone for corporate.net on DB2, SERVER1, and SERVER2.
domain. The domain contains several domain controllers [DCs], all running
Microsoft Windows Server 2012. You have created a snapshot of the Active
Directory database on one of the DCs by using Ntdsutil. You need to connect to
the snapshot using Active Directory Users and Computers. You first mount the
snapshot by using Ntdsutil. What should you use to export the data?
Dsget
Ntdsutil
Dsamain
Set-AD Domain
corp.net domain. The domain contains several Domain Name System
[DNS] servers, all running Microsoft Windows Server 2012. You need to
configure a new Active Directory Integrated Forward Lookup Zone to
only replicate among five of the DNS servers. Which tool should you
use?
Netsh
Dnscmd
DNSLint
DNS Manager
domain. The domain contains two Domain Name System [DNS] servers: DNS1
and DNS2. DNS1 hosts the primary zone for corp.net and DNS2 is configured
with a secondary zone for corp.net. The configuration for the Start of
Authority [SBA] properties is shown in the exhibit. You discover that zone
transfer from DNS1 to DNS2 is very slow. You need to change settings to
speed up zone transfer, but without generating unnecessary network traffic.
What should you do?
Change Minimum [default] T T L for the corp. net zone. Decrease the Serial
number on the corp.net zone. Decrease the Refresh interval on the corp.net
zone. Configure Notification on the corp.net zone.
You are the administrator for the Active Directory Domain Services corp.net domain. The domain includes
offices in three different locations, each represented by an Organizational Unit [OU] as shown in the
exhibit. in the Vancouver office, you have created a Group Policy object [GPO] to deploy Microsoft Office
2013 to all users [all user accounts are located in the Users OU]. You have delegated some simple form of
administration to a few users that requires them to physically log on to the servers in the Vancouver office.
All servers are located in the Servers OU. You need to reconfigure the settings so that when the users log on
to the servers, Office 2013 is not deployed. All users should still receive Office 2013 when they log on to other
computers. What should you do?
Create a GPO and link it to the Users OU. Configure the Ioopback processing mode to replace.
Configure the Microsoft Office 2013 GPO with loopback processing mode set to merge.
Create a GPO and link it to the Servers OU. Configure the Ioopback processing mode to replace.
Configure the Microsoft Office 2013 GPO with Ioopback processing mode set to replace.
Create a GPO and link it to the Servers OU. Configure the Ioopback processing mode to merge.
Create a GPO and link it to the Users OU. Configure the Ioopback processing mode to merge.
On DC1, create the zone as an Active Directory-integrated zone. Configure zone transfer to SERVER1 and
SERVER2. Then, create a secondary zone for corporate.net on SERVER1 and SERVER2.
You should create the zone as an Active Directory-integrated zone and then configure zone transfer to
SERVER1 and SERVER2. You only have one domain, so if you configure an Active Directory-integrated
zone, it automatically replicates to all other domain controllers in your domain and in this case, it is DC2.
SERVER1 and SERVER2 are not configured as domain controllers. Therefore, you need to configure them
with secondary zones. You should not configure zone transfer to all servers. DC2 is configured as a domain
controller in your domain. Therefore, it will be automatically configured with the corporate.net zone. You
only need to configure SERVER1 and SERVER2 with secondary zones. You should not create the zone as a
Primary zone. Although this would work, it would be much easier to configure the zone as an Active
Directory-integrated zone because this would automatically configure the zone on DC2 and you only need
to configure SERVER1 and SERVER2. You should not only create the zone as an Active Directory-integrated
zone. Active Directory-integrated zones are by default only replicated to other domain controllers. To
replicate the zones to non-domain controllers you need to configure zone transfer and create secondary
zones.
Dsamain
You should use the Dsamain tool. After you mount the snapshot by using Ntdsutil, the snapshot is
just mounted to a folder on the volume. To be able to connect to it using Active Directory Users
and Computers, you use Dsamain to export the snapshot and assign a port number that can be
used by Active Directory Users and Computers to connect. You should not use Ntdsutil. Ntdsutil
can only be used to control snapshots, not to create an instance of the snapshot that is
connectable from Active Directory Users and Computers. You would use Ntdsutil to mount the
snapshot, then Dsamain to make a connectable instance, and then Ntdsutil to unmount the
snapshot when you are finished. You should not use Dsget. Dsget is a command line tool
designed to collect information about objects in Active Directory. You can use it to query a user
account for all the group memberships that it has. You should not use Set-ADDomain. The
PowerShell cmdlet Set-ADDomain is used to set attributes on a given domain. If you run the
command Get-ADDomain, you will get a list of attributes set on the given domain. You can then
use Set-ADDomain to alter the settings.
Dnscmd
You should use Dnscmd with the switch /createdirectorypartition to create a partition in Active
Directory. After that, you can enroll DNS servers in the directory partition with the Dnscmd
/enlistdirectorypartition command and then configure the Forward Lookup Zone to only
replicate to the newly created directory partition. You should not use the Netsh command. The
Netsh command is used to configure network settings, such as IP addresses and Firewall
settings. Not directory partitions. You should not use DNS Manager. DNS Manager is the GUI
tool to create and configure Forward Lookup Zones in DNS. However, it cannot be used to create
or enlist servers in directory partitions. You should not use DNSLint. DNSLint is a DNS tool
designed to help diagnose configurations on DNS servers. It cannot be used to configure or enlist
servers in directory partitions.
Configure Notification on the corp.net zone.

You should configure Notifications. The default behavior for zone transfer is that the secondary server
queries the primary sewer in the interval configured as the Refresh interval. The problem with the Refresh
interval is that the secondary server queries the primary server even if there are no new entries on the
primary server. By configuring Notifications, the primary server will notify the secondary server when new
updates are available and the secondary server will then request a zone transfer. You should not decrease
the Refresh interval. Decreasing the Refresh interval will force the secondary server to query the primary
server at a more frequent interval, even if there are no new updates on the primary server. This will generate
unnecessary network traffic. You should not decrease the Serial number. The Serial number is used between
the primary and secondary server to query for new updates. If new updates are created on the primary
server, the Serial number will increase. When the secondary server queries the primary server for updates,
the increased Serial number indicates that new updates are available. You should not change Minimum
[default] TTL. The Time To Live [TTL] interval indicates how long a record is cached on the client
computer after it has queried the DNS server. The TTL setting is not used in the process of zone transfer
between a primary and secondary DNS server.
Create a GPO and link it to the Servers OU. Configure the Ioopback processing mode to replace.
You should create a GPO and link it to the Servers OU; then, configure the loopback processing mode to replace. Normally,
when you apply GPOs, both the computer and the user parts of the GPO are applied. In this case, you need to stop the user
part from applying when the user logs on to the servers in the Servers OU. Therefore, you configure a GPO on the Servers OU
with loopback processing. Loopback processing can run in two modes, merge mode, where all settings are read, but the
processing order is reversed [first user settings, then computer settings] or replace mode, where only the computer settings
are read. You should not configure merge mode on the Sewers OU. Loopback processing running in merge mode will still
read and apply all settings from both the computer and the user. In this case, the Office application would still be installed.
You should not configure replace mode on the Users OU. You need to stop the application from being installed when the user
logs on to the servers in the Server s OU. Therefore, configuring loopback processing replace mode on the Users OU would
have no effect on the sewers in the Servers OU. You should not configure merge mode on the Users OU. You need to stop the
application from being installed when the user logs on to the servers in the Servers OU. Therefore, configuring loopback
processing merge mode on the Users OU would have no effect on the servers in the Servers OU. You should not configure
replace mode on the Office 2013 GPO. You need to stop the application from being installed when the user logs on to the
servers in the Servers OU. This would stop the application from being installed on all computers in the Vancouver office. You
should not configure merge mode on the Office 2013 GPO. You need to stop the application from being installed when the
user logs on to the servers in the Servers OU. Therefore, configuring loopback processing mode in merge mode would have
no result on the servers in the Servers OU.
domain. The domain is configured in Hyper-V and all servers are running
Microsoft Windows Server 2012. You need to configure a new Domain
Controller [DC] and decide to clone one of the existing DCs. The existing DC is
configured with the following services: FIID Master, Domain Naming Master,
and global catalog. You run the New-ADDCCloneConfigFile cmdlet, but receive
an error. What should you do?
Transfer all FSMO roles from the DC.
Add the DC to the Hyper-V Administrators security group. Remove the global
catalog from the DC.
Add the DC to the Cloneable Domain Controllers security group.
corp.net domain. The domain is configured with several domain
controllers all running Microsoft Windows Server 2012. You need to
configure a central store to hold all the ADM and ADMX files. You plan
to create a folder named policydefinitions and copy all ADM and ADMX
files to that folder. Where should you create this folder?
In the location c:\windows\sysvoI\policies
In the location c:\windows\sysvol\sysvol\lcorp.net
In the location c:\windows\sysvol\sysvol\corp.net\policies In the
location c:\windows\corp.net\policies
domain. The domain relies on the Domain Name System [DNS] for name
resolution. The DNS sewer is configured as shown in the exhibit. Users in the
domain are reporting that they are unable to resolve names on the Internet.
Internal name resolution works well. You need to resolve the problem and
enable Internet name resolution for the users. What should you do?
On the DNS server, delete all Root Hints.
On the DNS server, configure Forwarders.
Delete the .[root] Forward Lookup Zone.
Change the DNS IP address on the client computers.
You are the administrator of the Active Directory Domain Services [AD DS] domain corp.net. All
domain controllers are running Microsoft Windows Server 2012 and all client computers are
running a mix of Windows 7 and Windows 8. A sewer named PrintServer1 is configured as a
print server. You have installed and shared a network printer on PrintServer1. You need to
configure all client computers to use the printer on PrintServer1. You want to accomplish the
task using Group Policy Preferences. What should you do? [Each correct answer presents a
complete solution. Choose two.]
Create a Shared Printer using the Create action.
Create a Shared Printer using the Update action.
Create a TCP/IP Printer using the Update action.
Create a Local Printer using the Update action.
Create a Local Printer using the Create action.
Create a TCP/IP Printer using the Create action.
Add the DC to the Cloneable Domain Controllers security group.

You should add the DC to the Cloneable Domain Controllers security group. To clone a DC, you
first need to add the DC to the security group and then use the GetADDCCloningExcludedApplicationList cmdlet to scan for incompatible programs and services
and the New-ADDCCloneConfigFile cmdlet to configure settings for the new DC. You should not
transfer all Flexible single master operation [FSMO] roles. The FSMO roles are special roles
assigned to DCs. The only FSMO role not supported by the cloning process is the PDC Emulator.
Although it is possible to clone a DC running the other FSMO roles, best practice would be to
clone a DC without any FSMO roles. You should not remove the global catalog. Global catalog is
a part of the Active Directory database that includes partial attributes of all objects in the Active
Directory Forrest. There is no problem in cloning a domain controller configured as a global
catalog server. You should not add the DC to the Hyper-V Administrators security group. The
group is used to grant administrators permissions to change configurations in Hyper-'v'.
In the location c:\windows\sysvol\sysvol\corp.net\policies

In order to create a central store to hold the ADM and ADMX files used in the Administrative
templates section of group policies, you need to create a folder named policydefinitions in the
following location: c:\windows\sysvol\sysvol\corp.net\policies. Everything located in the sysvol
folder will automatically be replicated to all domain controllers in the domain. After the
creation of the folder, all you need to do is copy all ADM and ADMX files to the folder. You
should not create the policydefinitions folder in any of these locations:
c:\windows\sysvol\policies
c:\windows\sysvol\sysbol\corp.net
c:\.windows\corp.net\policies
Delete the .[root] Forward Lookup Zone.

You should delete the .[root] zone. The .[root] zone denotes the zones on the DNS server and
configures the DNS server to act as a root server. This will result in the DNS server not
forwarding any requests for names that it cannot resolve itself. In this case, no name resolutions
are attempted for Internet names. If you delete the .[root] zone. the DNS server will use Floot
Hints on the Internet for name resolution. You should not change the DNS IP address. There is no
need to change the DNS IP address on the clients. If internal name resolution works, then the
problem is not the DNS IP address on the clients. You should not delete the Root Hints. The Root
Hints on the DNS sewer are responsible for name resolution on the lnternet. Deleting the Root
Hints will render the DNS server unable to resolve Internet names. You should not configure
Forwarders. Forwarders are used to configure where the DNS server should forward the name
request from the clients if it cannot resolve the name itself. This function only works if there is no
.[root] zone on the DNS server. Therefore, if you need to use a Forwarder, you should delete the
.[root] zone first.
Create a Shared Printer using the Create action.

Create a Shared Printer using the Update action
You should create a Shared Printer using the Update action or the Create action. A shared printer
will connect to the print sewer and submit its print job to the print server. The Update action will
update an existing printer and, if none exists, it will create one. The Create action will create a
new printer but not update an existing one. You should not create a TCP/IP Printer using the
Update action or the Create action. A TCP /lP Printer will use the IP address of the print device to
submit the print directly to the device instead of the print server. The Update action will update
an existing printer and, if none exists, it will create one. The Create action will create a new
printer but not update an existing one. You should not create a Local Printer using the Update
action or the Create action. By using this option a Local Printer will be created. This is only
useful if the client compute: has a locally attached print device. The Update action will update a
printer if it exists if not it will create one. The Create action will create a printer but not update
one if it already exists.
Change the preference value for mai|3.corp.net to 5.
You are the administrator of the Active Directory Domain Services corp.net domain. The domain
contains three Microsoft Exchange 2010 servers. You use NSLookup to query your local Domain
Name System [DNS] server for mail exchanger [MX] records. The result is shown in the exhibit.
You need to reconfigure the records so that mail3.corp.net receives all mail for the corp.net
domain and mail1.corp.net and mail2.corp.net only receive mail if mail3.corp.net does not
answer. What should you do?
Disable Round Robin on the DNS server.
Change the preference value for mai|3.corp.net to 15. Change the preference value for
mai|1.corp.net and mai|2.eorp. net to 5.
Disable Netmask ordering an the DNS server.
Change the preference value for mai|3.corp.net to 5.
You should set the preference value on mai|3.corp. net to 5. Preference on MX records controls the order in
which the servers respond. A record with a lower preference responds before a record with a higher
preference. If all records have the same preference and if Flound Flobin is enabled on the DNS server, the
servers take turn in responding to requests [in this case receiving emails]. You should not change the
preference value for mai|1.corp.net and mai|2.corp.net to 5. Preference on MX records controls the order in
which the servers respond. As noted, a record with a lower preference responds before a record with a
higher preference. You should not change the preference value for mai|3.corp.net to 15. As noted, the
preference on MX records controls the order in which the servers respond. You should not disable Round
Robin. Round Robin on the DNS server ensures that if records with the same name exist, they will take turns
in responding to requests[in this case, receiving emails].In this scenario, disabling Round Robin forces only
one server to answer. You should not disable Netmask ordering. Netmask ordering is used together with
Round Robin to ensure that if multiple records exist with the same name, the client receives the IP address
of the closest record. This record is for a server that exists in the same subnet as the client computer.
Manually record all the configuration setting for SQL Server, including the SQL logging properties
You have an Active Directory Domain Services [AD D5] domain named examplecom. You have
been tasked with migrating your current Network Policy Server [NPS] that is located on a
Microsoft Windows Sewer 2008 R2 server to a Windows Sewer 2012 server. Your source server
has SQL logging enabled for your NPS. The migration has been going as expected, and you are at
the point of exporting the configuration settings from the source sewer to an XML file, which you
will import to the destination sewer. You need to ensure that you have the configuration settings
for SQL. What should you do?
Run the command: netsh nps export filename='<path>\SQL.xml'exportPSK=YES
In server Manager, right click on the NPS and then click Export Configuration
Use the Export Wizard in Server Manger\Roles\Network Police and Access Service\NPS\
Manually record all the configuration setting for SQL Server, including the SQL logging
properties
You have developed an application that will be installed on a computer

running Microsoft Windows Sewer 2012. The server belongs to an
Active Directory Domain Services [AD DS] domain. You are preparing
the installation package for your application. You need to publish
binding information about a service that runs as part of the application.
What should you use to do this?
The Key Distribution Center [KDC]
The Lightweight Directory Access Protocol [LDAP]
A Service Principal Name [SPN]
A connection point object
You manage an Active Directory Domain Services [AD DS] domain named example.com. A
Microsoft Windows Server 2012 server named Server1 is joined to the domain. It has Network
Policy and Access Services installed on it and is being used as a RADIUS Server for 802.1x
Wireless or Wired Connections. The organization has purchased multiple 802.1x devices to
provide remote access to the network. All the 802.1x RADIUS clients are on the same subnet,
which is 172.16.50.0/24. You have been tasked with setting up all the RADIUS 802.1x clients so
that they have the same shared secret for accessing the RADIUS server. What do you need to
configure?
Create a new Connection Request policy.
When setting the shared secret, ensure that you have the Generate password radio button
selected.
Put a Global Group name that has all the 802.124 RADIUS clients as members in the Address
[IP or DNS]: text field. On the properties page of the New RADIUS Client in the Address [IP or
DNS] text field, you should enter an IPv4 address with the range 172.16.50.0/24.
Your company consists of several Active Directory Domain Services domains

all configured in the same forest. One of the domains is located in a remote
location. There is no IT staff employed on location. Sometimes, users in the
domain forget their passwords and, as a result, they look themselves out of
the domain. You need to make sure that the user accounts are automatically
unlocked again after a period of 30 minutes. What should you do?
Configure maximum lifetime for user ticket renewal. Configure reset account
lockout counter after.
Configure account lockout threshold.
Configure account lockout duration.
Your company contains a main office and a branch office. The branch office is
configured with a Head Only Domain Controller [RODC] for an Active
Directory Domain Services domain. You need to grant the local IT staff in the
branch office permissions to do day-to-day maintenance of the RODC. You
need to grant the least amount of administrative permissions. What should
you do?
Use the Local Users and Groups to assign the permissions.
Use netdome.exe to assign the permissions.
Use dsmgmt.exe to assign the permissions.
Use net use to assign the permissions.
Use Active Directory Users and Computer to assign the permissions.
For SQL configuration settings that you need for the new server, you must record them manually. All the
configuration settings for NPS on a Windows Sewer 2008 are stored as XML files. These les, with the
exception of the SQL conguration files, can then be imported into the destination server. The Network
Shell [NetSh] command line utility and the Windows interface can be used to import and export the XML
files; however. The SQL settings are not included in the export. To gain access to the basic SQL
configuration settings you would use a netsh command that will pipe the SQL configuration settings to a
text file. You would use this command: netsh nps show sqllog > C:'~r sq|.txt In this example, the netsh
command is going to pipe the sqllog file to a location that you have specified [C:'x] and save the settings in a
file named sql.txt. Once the information is in a text file, you will then be able to open the file and copy all the
basic SQL settings so that you can then set them to be the same in the destination server. Flight-clicking on
the NPS and then clicking Export configuration will export everything except the SQL settings. The netsh
command netsh nps export fi|ename="<path>\SQL.xm|" exportPSK=YES is correct if you want to call your
XML file SQL.xm|, but using this command will not ensure that the SQL configuration settings are recorded.
There is not an Export Wizard.
A connection point object

You should use a connection point object to publish binding information about the service. A
connection point object, which is also called a service object, is associated with the AD DS
computer object for the computer on which the service is running. You do not use an SPN to
publish binding information about the service. Client applications that communicate with the
service use the SPN for the service to identify and authenticate the service. You do not use the KDC
to publish binding information about the service. Client applications that communicate with the
service rely on the KDC for mutual authentication. The KDC uses attributes of the SPN. You do
not use LDAP to publish binding information about the service. LDAP is the protocol that
applications and services use to communicate with AD DS.
On the properties page of the New RADIUS Client in the Address [IP or DNS]
text field, you should enter an IPv4 address with the range 172.16.50.0/24.
You can use Classless Inter-Domain Routing [CIDR] notation to add blocks of
RADIUS clients to the NPS console. This will save time over adding them
individually if you are adding multiple 802.1x clients. Once the CIDR block is
entered, you can then set a password for all the clients in the subnet range.
Generating a password will not affect the whole group if the IP address is not
set to the subnet in question. A connection request policy is set up after the
RADIUS Server is configured. Adding the machines to a Global Group would
not satisfy the requirements because the information asked for is an IP
address or a DNS name.
Configure account lockout duration.

You should configure lockout duration. Account lockout duration is located under the account
lockout policy and, if you configure it with a time period of 30 minutes, any user account that is
locked will automatically be unlocked after 30 minutes. You should not configure lockout
threshold. Account lockout threshold is a setting that determines how many unsuccessful logon
attempts the users will have before their account is locked. You should not configure reset
account lockout counter. Assume that you have configured an account lockout threshold of 3.
After 3 unsuccessful logon attempts, the user account is locked. However, if the user only makes
two unsuccessful logon attempts, the lockout counter is reset to 0 after a successful logon. The
same goes for reset account lockout counter, only this works on a time basis. You should not
configure maximum lifetime. The maximum lifetime for user ticket renewal determines the
maximum period for which a user ticket can be renewed. User tickets are issued by a domain
controller and are used as part of the authentication system to grant the user access to resources
in the domain.
Use dsmgmt.exe to assign the permissions.

You should use dsmgmt.exe to assign the permissions. Normally, you cannot assign local
administrator permissions for a Domain Controller [DC]. However, RODCs have an option to
configure local permissions. There are no graphical interfaces to do it, so you need to use the
dsmgmt.exe command. You should not use Active Directory Users and Computers. This tool can
only be used to assign permissions using the groups in Active Directory. You need to assign
permission locally to the RODC, so you cannot use Active Directory Users and Computers. You
should not use the Local Users and Groups. There are no local Users and Groups on a Read Only
Domain Controller. After the server is promoted to a DC or RODC, the local users and groups
are moved to Active Directory Users and Computers. You should not use netdom.exe.
Netdome.exe can be used to add computers to a domain, but cannot be used to assign
permissions to the RODC. You should not use net use. Net use is used to configure access to
shared folders and cannot be used to assign permissions to the RODC.
Your company contains servers running Microsoft Windows Server 2012 and client computers
running a mix of Windows 8, Windows 7", and Windows XP. You configure a new Group Policy
object [GPO] and link it to the root of the domain. The GPO is configured as shown in the exhibit
and is intended to configure a mapped drive on all client computers. 31,- inspection, you discover
that not all client computers have been configured with the new mapped drive. You need to ensure
that the GPO configures the mapped drive on all client computers. What should you do?
Install the Client Side Extensions on the affected computers.
Change the Action on the GPO to Create instead of Update.
Recongure the GPO so that the configurations apply to the Computer Configuration part of the
GPO instead of the User Configuration.
On the affected computers, run the command gpupdate /force.
Your company has a computer running Windows Deployment Services [WDS] and a computer
running the Dynamic Host Configuration Protocol [DHCP) service. You have added an image of
Microsoft Windows 8 to the WDS sewer. In Active Directory you have created an Organizational
Unit [DU] named SalesOffice. You need to deploy five computers to the sales department. The
computers are going to be installed by the users in the sales department themselves using the
WDS server. The computers must be added to the SalesOffice OU. What should you do? [Each
correct answer presents a complete solution. Choose two.]
In the WDS management console, create five Active Directory Prestaged Devices.
In Active Directory Users and Computers, create the five computers as managed computers.
In the properties for the WDS server, change the AD DS settings to create the computer accounts
in the SalesOffice OU.
In Active Directory Users and Computers, create the five computers.
Your company has an Active Directory domain. You have ensured that your network
infrastructure meets the requirements to support DirectAccess and have installed a DirectAccess
server. You have 35 users who use portable computers running Microsoft Windows 3' Enterprise
Edition. You need to congure these computers to meet these requirements:
When working remotely, clients must be able to use DirectAccess to access
resources on the internal network. Access to Internet resources should not go through the
internal network when clients are working remotely.
What should you do?
Run the DirectAccess Setup Wizard on the server and on each client computer.
Create a security group, add the portable computers, and run the DirectAccess Setup Wizard on
the sewer.
Run the DirectAccess Setup Wizard on each client computer.
Upgrade the client computers to use Windows 7 Ultimate Edition and run the DirectAccess Setup
Wizard on each client computer.
Your company has one Active Directory Domain Services domain consisting of one main office and four
branch offices. In each branch office, there are 100 client computers all running Microsoft Windows 3. All IT
staff is located in the main office. You need to provide the client computers in the domain with security
updates. The solution has to be as easy to administer as possible while making sure that the Internet
connections in the main and branch offices are not overloaded with traffic. What should you do?
In the main office, install Windows Server Update Services [WSUS] and configure it to collect updates from
Microsoft. Then use Group Policy objects to configure all client computers to use the WSUS sewer in the
main office.
In the main office, install Windows Server Update Services [WSUS] and configure it to collect updates from
Microsoft. In each branch office, install WSUS and configure it as a replica server.
ln the main office, install Windows Sewer Update Services [WSUS] and configure it to collect updates from
Microsoft. In each branch office, install WSUS and configure it as an autonomous downstream server.
In the main and branch offices, install Windows Server Update Services [WSUS] and configure it to collect
updates from Microsoft.
Your company recently opened two branch offices that connect to each other by use of a wide area network
[WAN]. Each branch office owns a server that operates Microsoft Windows Server 2012 and performs as a
file sewer. Users in each branch office save data on their local file server and have access to data from the
other branch office. You need to design a data access remedy that meets these requirements:
* Folders that are stored on each file server must be available to users in both branch offices.
* Usage of bandwidth must be minimized between branch offices.
*Files must be accessible in the event of a failed wide area network WAN] link.
What should you do?
Install and configure File Server Resource Manager [FSRM] and File Replication Service [FRS] on each
branch office server.
Implement DFS Replication [DFSR] on each branch office server.
Install and configure Distributed File System [DFS] on one branch office server and install and configure
the Background Intelligent Transfer Service [BITS] on the other branch office server.
Install and configure File Server Resource Manager [FSRM] on one branch office server and install and
configure File Replication Services [FRS] on the other branch office server.
Install the Client Side Extensions on the affected computers.

You should install the Client Side Extensions. The option to create a mapped drive is a new
feature in group policy preference, but you cannot apply it to Windows XP unless you first install
the Client Side Extensions. You should not change the Action setting. The Action setting in the
GPO is set to Update. This is the default setting when creating new mapped drives. The Update
setting will update any existing mapped drives and, if it does not exist, it will create it, so there is
no need to change the Action setting. You should not run gpupdate /force. The gpupdate ./force
command is used to force an update of all group policy settings affecting the computer, even if the
group policy has not been changed. In this case, the problem is that group policy preferences are
not supported on Windows XP unless you install the Client Side Extensions, so running gpupdate
.-'force will have no effect. You should not reconfigure the GPO. The mapping of drives in group
policy preferences is a feature found only in the User Configuration part of the GPO.
In the WDS management console, create five Active Directory Prestaged Devices.
In Active Directory Users and Computers, create the five computers as managed computers.
You should create the five computers as Active Directory Prestaged Devices in the WDS console. By prestaging the computers,
you link them to obiects in Active Directory in the correct location, in this case the SalesOffice OU. The prestaging procedure
also allows you to assign permissions for who can join the computer to the domain. You could also create the live computers
as managed computers in Active Directory Users and Computers. By adding the computers as managed computers, you link
them to obiects in Active Directory in the correct location, in this case the SalesOffice OU. This procedure also allows you to
assign permissions for who can join each computer to the domain. You should not create the live computers in Active
Directory Users and Computers. This will only create the live computers as objects in Active Directory and not link the object
to the physical computer. This will result in the computers appearing in the Computers container in Active Directory and not
the SalesOffice OU. Also, this process alone will not grant the users permissions to add their computers to the domain. You
should not change the properties for the WDS server. Changing the AD D8 settings on the WDS server will result in all
computers being added to the domain to be added to the assigned location. In this case, we only want to control where the
SalesOffice computers are added, not all the computers in the company. Also, this process alone will not grant the users
permissions to add their computers to the domain.
Create a security group, add the portable computers, and run the DirectAccess Setup Wizard on the sewer.
You should create a security group, add the portable computers, and run the DirectAccess Setup Wizard on
the server. The DirectAccess Setup Wizard allows you to easily configure clients to use DirectAccess. You can
add the security group to the client list, and the computers in the security group you created will be able to
use DirectAccess. You should not upgrade the client computers to use Windows 7 Ultimate Edition and run
the DirectAccess Setup Wizard on each client computer. DirectAccess can be used with Windows 7
Enterprise Edition. In addition, you do not run the DirectAccess Setup Wizard on each client. Instead, you
run it on the DirectAccess server. You should not run the DirectAccess Setup Wizard on the server and on
each client computer. You do not run the DirectAccess Setup Wizard on each client. Instead, you run it on
the DirectAccess server. In addition, to be able to allow only the desired users access, you would need to
create a security group so that you could specify it when you run the DirectAccess Setup Wizard. You
should not run the DirectAccess Setup Wizard on each client computer. You do not run the DirectAccess
Setup Wizard on each client. Instead, you run in on the DirectAccess server.
In the main office, install Windows Server Update Services [WSUS] and configure it to collect updates from Microsoft. In
each branch office, install WSUS and configure it as a replica server.
You should install WSUS in the main and branch offices, and then congure the branch office WSUS servers as replica
sewers. The replica sewers will not only receive all updates from the main office WSUS server but, if you approve an update
for installation on the main office WSUS server, the update will automatically be approved for installation in the branch
offices. With this configuration, the main office WSUS server receives the updates from Microsoft. Each branch office WSUS
server then receives the updates from the main office WSUS server. In this way, there is a minimum of network traffic and all
updates can be approved on the main office WSUS server. You should not configure WSUS servers in the main and branch
offices to collect directly from Microsoft. Although this configuration would work, the IT staff would have to approve the
same updates on five servers instead of iust one. You should not install WSUS in the main office and then configure the
branch office WSUS servers as autonomous downstream servers. Although the configuration of a downstream server could
solve the task, this would result in the IT staff having to approve updates on all WSUS servers. The big difference between a
normal downstream server and a replica server is the number of locations that updates need to be approved. You should not
install the WSUS server in the main office and then configure all client computers to collect updates from that server. This
configuration would result in all the client computers collecting updates from one WSUS server in the main office. This
would be too great a load on the network connections. When you have a large number of client computers that you want to
update, you need to set up a WSUS server close to the client computers to reduce network traffic.
Implement DFS Replication [DFSR] on each branch office server.

You should implement DFSFR on each branch office server. An administrator can efficiently replicate
folders across several sewers and sites with DFSR enabled. Remote Differential Compression [RDC]
compresses folders using an algorithm that is supported by DFSFI. Changes to data in each file are inspected
and DFSR will replace only the blocks in the file rather than replacing the entire file. DFSR can be used
independently or with DFS Namespaces. You should not use FSRM and FRS. FRS was formerly used to
replicate data and is replaced by DFSR. DFSR will replicate data when DFS servers are defined in a DFSR
group while using Windows Server 2003 R2 or later. FFIS will replace DFS if any systems are using an earlier
version of Windows Server. You should not install and configure DFS on one branch office server and install
and configure the BITS on the other branch office server. BITS transfers files from requesting applications
asynchronously. Transfer occurs in the background as long as the network connection is available and the
owner of the file is logged in. If the owner is not logged in. BITS will not transfer the file. Security and
performance are increased when DFSR is used with Windows Server 2012.
Your company wants to enforce client health via Dynamic Host

Configuration Protocol [DHCP] on its network by using Network
Policy Sewer [NPS]. What should you configure?
DNS Server
RADIUS proxy in NPS
DHCP Server
NPS configuration wizard
Your company's network consists of a single Active Directory domain. All servers on the network
run Microsoft Windows Server 2012. All client computers on the network run Windows 7. You
configure a server named VPN1 as a virtual private networking [VPN] server. VPN1 is used by the
members of the marketing department while they are traveling. You want to ensure that remote
users do not face any VPN connectivity problems even when the users are behind firewalls, Web
proxies, or Network Address Translation [NAT] routers. Which tunneling protocol should you
configure on VPN1?
Point-to-Point Tunneling Protocol [PPTP]
Secure Socket Tunneling Protocol [SSTP]
Layer Two Tunneling Protocol with Internet Protocol security [L2TP/lPsec]
GPRS Tunneling Protocol [GTP]
NPS configuration wizard

You should configure the enforcement with the NPS configuration wizard. NPS enables an
administrator to create and apply network access policies for client health, connection request
authentication, and connection request authorization. NPS can be configured to assign an IP
address or send the request to the DHCP server to assign an IP address. You should not configure
RADIUS proxy in NPS. A RADIUS proxy forwards Access-Requested messages to another
RADIUS server and processes the request for access to the company's network. You should not
configure a DHCP server. Configuring DHCP alone would not utilize the NPS ability to instruct
the DHCP server to grant access to compliant NAP clients and prevent access by noncompliant
clients. You should not configure a DNS Server. DNS server is used for naming computers and
network services. Computers and services are located through fully qualified names.
Secure Socket Tunneling Protocol [SSTP]

You should use SSTP. This protocol uses an HTTP over SSL session between a VPN client and server. This protocol uses TCP
port 443, which allows a VPN connection to work successfully with firewalls, Web proxies, and NAT routers. TCP port 443
is used for all secure websites. Therefore, this port is already open on firewalls, Web proxies, and NAT routers. You should
not use GTP because this protocol is typically used for IP-based mobile phone networks, Global System for Mobile
communications [GSM] and Universal Mobile Telecommunications System [UMTS], and not for computer networks or VPN
connections. You should not use PPTP. PPTP uses two network sessions, which makes the VPN connection difficult to get
through a firewall, Web proxy, or NAT router. In addition, PPTP uses TCP port 1723, which may be blocked by default on
company firewalls, Web proxies, or NAT routers, preventing successful VPN connections. You should not use L2TP/lPsec.
This protocol is used for remote access and site-to-site VPN connections and supports IPv6-over-IPv4 traffic across the IPv4
Internet. IPsec provides a secure channel. When an IPv4 packet is sent using a VPN connection across the IPv4 Internet, the
IPv4 packet is encapsulated by the VPN protocol. To support VPN connections across the IPv6 Internet, the VPN protocols
that are used must support connections over IPv6. In Windows Server 2012, remote access VPN connections over IPv6 are
supported by the L2TP/lPsec and SSTP VPN protocols. However, L2TP/IPsec-based VPN connections require manually
opening ports on firewalls to ensure a successful VPN connection.
Create a network policy.
Your company's network consists of a single Active Directory domain. You install Microsoft
Windows Server 2012 on all servers on the network. All client computers on the network run
Windows 7. Some users in the marketing department want to access the company's network
while traveling. You install a Network Policy Server [NPS] and enable the Flouting and Remote
Access role service on the server to provide virtual private network [VPN] connectivity to remote
users. You want to ensure that only authorized remote users are allowed to access the corporate
network only between 9A.M. to 6 P.M. What should you do?
Create a health policy.
Create a remote access policy.
Create a network policy.
Create a connection request policy.
Your network contains a computer running Microsoft Windows 2012. The

computer is configured as a Windows Server Update Services [WSUS] server.
All updates are currently stored on C :\\WSUS. You decide that the location is
not appropriate for a server. You want to change the location to another drive,
specifically the D:\\WSUS folder. You need the change to be as easy as
possible without too much downtime on the WSUS service. What should you
do?
On the WSUS sewer, run wsusutil export followed by wsusutil reset
On the WSUS server, run wsusutil export
On the WSUS server, run wsusutil movecontent
On the WSUS server, run wuauclt /updatenow
You should create a network policy. The Routing and Remote Access role service allows remote users to
access resources on your private network over VPN or dial-up connections. In Windows Sewer 2012, Routing
and Remote Access is a role service in the Network Policy and Access Services role. You configure remote
access policy through Network Policy Server [NPS]. You can use NPS to create and enforce network policies
to authenticate and authorize connection requests. NPS uses network policies to determine whether the
user or computer that is connecting to the network is allowed to access the network. NPS also examines the
dial-in properties of the user account in Active Directory to perform authorization. You can configure
network policies from the Policies node of the Network Policy Server snap-in. You should not create a
connection request policy. Connection request policies contain conditions and settings that allow you to
designate which servers perform the authentication and authorization of connection requests that the NPS
server receives from RADIUS clients. You should not create a health policy. Health policies contain system
health validators [SHVs] and other settings that allow you to define client computer configuration
requirements for computers that attempt to connect to your network. You should not create a remote access
policy. Remote access policies define how connections from remote users are either authorized or rejected.
On the WSUS server, run wsusutil movecontent

You should run the wsusutil movecontent command. The wsusutil movecontent command is used to
change the location of downloaded updates. The default command will change the update file location. If
you choose only to change the location but not move the content, you can use the -skipcopy switch. You
should not run the wsusutil export command. Although the command will export the updates to a different
location, it will not change the location where the WSUS server stores its updates. You should not run the
wuauclt '/updatenow command. The command is used on client computers to force an update from a
WSUS or Microsoft Update server. The command will have no effect on the storage location for the WSUS
server updates. You should not run wsusutil export followed by wsusutil reset. The two commands cannot be
used to change the location for updates on the WSUS server. The first command will export updates from
the WSUS server to a file or folder. The wsusutil reset command is used to check the files stored on the
WSUS server compared to the updates located in the WSUS database. It is useful to run after a WSUS
database restore, because it will check for all updates in the database, and if they are missing in the file
location, the WSUS server will download them.
On the computer, run the command wuauclt /detectnow

Your network contains a computer running Microsoft Windows Server 2012. The computer is
configured as a Windows Server Update Services [WSUS] server. All of the necessary
configuration regarding the WSUS server has been made in a Group Policy object [GPO]. On the
WSUS server, you approve an update for installation on all computers. By inspection. you
discover that the update has been installed on all computers but one. You verily that the computer
is connected to the network and able to contact to the WSUS server. You need the update to be
installed on the computer immediately. What should you do?
On the WSUS server, run the command wuauclt/detectnow
On the WSUS server, approve the update for installation
On the computer, run the command wuauclt /detectnow
On the computer, run the command gpupdate/force
You should run the command wuauclt /detectnow on the computer. The command will force the
computer to query the WSUS server for new updates. After a little while, the update should show
up in the notification area on the computer ready for installation. You should not run the wuauclt
/detectnow command on the WSUS server. The command is used on client computers to interact
with the Automatic Update client. You should not run the command gpupdate /force on the
computer. The gpupdate /force command is used to force updates of GPOs. Although WSUS
settings are set through a GPO, it is highly unlikely that the settings have been altered because all
other computers are still receiving updates. The problem must be local and could be a sign of the
default update interval which is 22 hours. Running the wuauclt /detectnow command instead
would check for new updates. You should not approve the update for installation on the WSUS
server. All client computers but one received the update, so the update must already have been
approved on the WSUS server.
configured as a Windows Server Update Services [WSUS] server. The client computers are
configured through a Group Policy object [GPO]. The relevant portion is shown in the exhibit.
The client computers are located in 50 branch offices and the WSUS server is located in the main
office. All branch offices have their own Internet connection. You need to reconfigure the WSUS
settings for optimal usage of existing connections while still maintaining control of the updates
to be approved. What should you do?
Change the GPO setting to Disabled.
Change the GPO setting to Not Configured.
On the WSUS server, remove "Download update files to this server only when updates are
approved."
Change Update Files on the WSUS server to "Do not store update files locally."
Change Update Files on the WSUS server to "Do not store update files locally."
You should set the option "Do not store update files locally'' on the WSUS server. By configuring this setting, the WSUS
server will not download the complete updates from Microsoft but only the metadata. In this way, the WSUS server can still
be used to approve the updates to be installed on the client computers, but the client computers will contact the Microsoft
Update server to retrieve the updates. You should not change the GPO setting to Disabled. By disabling the GPO, the client
computers will only contact the Microsoft Update server and not the WSUS server. In this configuration, you will lose the
option to approve the updates to be installed. The client computers will retrieve and install updates directly from Microsoft
without any control. You should not change the GPO setting to Not Configured. By setting the GPO to Not Configured, the
client computers will only contact the Microsoft Update server and not the WSUS server. In this configuration. you will lose
the option to approve the updates to be installed. The client computers will retrieve and install updates directly from
Microsoft without any control. You should not remove "Download update files to this server only when updates are
approved" from the WSUS server. By removing this setting, the WSUS server will only download updates from Microsoft that
have been approved. The default setting states that all updates configured in Products and Classifications are downloaded to
the WSUS server. Changing this setting will still not change the fact that the client computers retrieve updates from the WSUS
server instead of the Microsoft Update server, which would be the optimal.
Synchronize the WSUS server.

configured as a Windows Server Update Services [WSUS] server. The WSUS server has been
configured to manually synchronize updates from Microsoft and all client computers are
configured to collect updates from the WSUS server. You deploy Microsoft Office 2013 to all
client computers in your network. Updates for Microsoft Office 2013 are available on the
Microsoft Update server but the updates do not show up in Products and Classifications on the
WSUS server. What should you do?
Change settings in Products and Classifications to include Microsoft Office 2013.
Synchronize the WSUS server.
Run the wsusutil import command.
Approve updates for Microsoft Office 2013.
Your network contains a computer running Microsoft Windows Server 2012.

The computer is configured as a Windows Server Update Services [WSUS]
server. You have updated the WSUS server against the Microsoft Update
server and approved some updates for installation. After a few days, you
attempt to create a Computer Status Summary report but receive an error
message. You need to create the report. What should you do?
Run the command wuauclt /reportnow
Install .NET Ftamework 4.0
Run the command wsusutil checkhealth
Install Microsoft Report Viewer 2008
Your network contains a computer running the Microsoft Windows

Deployment Services [WDS]. The network and all client computers
support Preboot Execution Environment [PXE] boot. When attempting
to deploy an image to a new computer, the boot process stops and
displays the message shown in the exhibit. You need to have the boot
process continue. Which command should you run on the WDS server?
wdsutil / start
wdsutil/ initialize
wdsutil/ approve
wdsutil/ enable
Your network contains a single subnet. In the subnet you have created an infrastructure to
support network based deployment of images to client computers. This includes a Domain
Controller, a Dynamic Host Configuration Protocol [DHCP] server, and a Windows Deployment
Services [WDS] server. You need to deploy Microsoft Windows 8 to 50 computers in the network.
However, you are concerned that the deployment may be slowed down because some client
computers have 10 Mbit/s network cards and some have 1 Gbit/s network cards. You need to
deploy the image without the risk of the computers with 10 Mbit/s network cards slowing the
faster computers down. What should you do on the WDS server?
Choose the Auto-Cast option for deployment.
Choose the Scheduled-Cast option for deployment. Change the Transfer Settings.
Use the Add Driver Package feature to update drivers for the 10 Mbit/s network cards.
You should synchronize the WSUS server. Whenever a new product is added to the Microsoft
Update server, you need to synchronize the WSUS server before the new product shows up in
Products and Classifications. After the synchronization, you can approve updates for the new
product. You should not approve updates for Microsoft Office 2013. On the WSUS server, you
cannot approve updates for unknown products. First, you need to synchronize the WSUS server,
and after that you can approve updates for the new product. You should not change settings in
Products and Classifications. On the WSUS server, you cannot approve updates for unknown
products. You first need to synchronize the WSUS server, and after that you can approve updates
for the new product. You should not run the wsusutil import command. This command is used to
import updates onto the WSUS server, but the server will not accept updates for unknown
products. Therefore, you first need to synchronize the WSUS server and then you can approve
updates for the new product.
Install Microsoft Report Viewer 2008

You should install Microsoft Report Viewer 2008. The Report Viewer is not installed as part of the WSUS
server installation and without it, it will not be possible to create any reports on the WSUS server. After
downloading and installing the Report 'viewer, reports can be created under the reports section of the
WSUS server console. You should not install .NET Framework 4.0. Although the .NET Framework is a
required feature for many roles and applications running on a Microsoft Windows Server 2012 server, the
.NE T Framework is not required by the WSUS server to generate reports. You should not run the command
wsusutil checkhealth. The command is used on the WSUS server to generate a log entry in the event viewer
regarding the general health status of the WSUS server. The command cannot be used to generate any kind
of reports. You should not run the command wuauclt /reportnow. The command is used on client
computers. After running the command on a client computer, it will send a status report to the WSUS server
concerning updates received from the WSUS server. The command does not generate a report on the WSUS
server but merely sends a status from the client to the WSUS server.
wdsutil/ approve
You should run the command wdsutil /approve. The /approve switch can be used to approve
pending devices. Pending devices will show up in the PXE boot sequence with a Message from
Administrator and a Pending Request ID. In this case, the command wdsutil /approvependingdevices /requestid:1 will approve the computer and the PXE boot will continue. You
should not run the command wdsutil /start. The /start switch can be used to start WDS services
and Multicast Transmissions, but it cannot be used to approve pending devices. You should not
run the command wdsutil /enable. The /enable switch is used to enable all WDS services. It
cannot be used to approve pending devices. You should not run the command wdsutil /initialize.
The /initialize switch is used to configure a WDS server for initial use. It cannot be used to
approve pending devices.
Change the Transfer Settings.

You should change the Transfer Settings. The Transfer Settings determine if deployment speed should be controlled by the
slowest computer or divided into groups depending on the speed of each computer. In this case we have two different speeds,
10 Mbit/s and 1 Gbit/s, so changing the Transfer Settings to separate clients into two sessions [slow and fast] would result in
all computers with 10 Mbit/s network cards running at 10 Mbit/s and all the computers with 1 Gbit/s card running at 1
Gbit/s. You should not choose the Auto-Cast option. The Auto-Cast option is used in multicast scenarios where you want all
computers to be able to connect to the same multicast session at any time. The problem with multicast is that all computers
have to run at the speed of the slowest computer. So simply choosing Auto-Cast is not the appropriate solution. You would
have to divide the connecting computers into two groups depending on their speed. This is done by changing the Transfer
Settings. You should not choose the Schedule-Cast option. The Schedule-Cast option is used to control when a multicast
session will start. You can choose a time or the number of computers to be connected before the start of deployment. So
simply choosing Schedule-Cast is not the appropriate solution. You would have to divide the connecting computers into two
groups depending on their speed. This is done by changing the Transfer Settings. You should not update the drivers for the
10 Mbit/s network cards. Updating the driver for a network card will not make it faster. Updating the drivers will not change
the transfer speed.
Your network contains an Active Directory Domain Services [AD DS] domain named corp. net.
running Windows 8. You have configured a Group Policy object [GPO] named GPO1 with several
administrative template settings. The filter option for the GPO is shown in the exhibit. You need
to change the filter to only show settings that will be removed if the affected computer is moved
to a location in Active Directory where GPO1 no longer applies. What should you do?
Set Managed to Yes.
Set Configured to Yes.
Enable Keyword Filters.
Set Commented to Yes.
Enable Requirements Filters.
Your network contains an Active Directory Domain Services domain named corp. net. In the
domain, you have configured a computer running Microsoft Windows Server 2012 as a Windows
Deployment Services [WDS] server. The configuration is shown in the exhibit. The domain also
contains an Organizational Unit [DU] named Sales. You need to congure the WDS server to
only be able to deploy the Windows 8 Laptop image to users in the Sales OU who have laptop
computers. What should you do?
Edit the properties for the Windows 8 Laptop image to only allow read permission for the users
in the Sales DU and only allow installation on laptops.
Move the Windows 3 Laptop image to ImageGroup2 and assign the users in the Sales DU read
permissions.
Edit the security settings for ImageGroup1 to only allow installation by users in the Sales OU.
Create Active Directory Prestaged Devices for the laptop computers and assign Join Flights to
the users in the Sales OU.
Your network contains an Active Directory Domain Services domain named

corp.net, and the domain includes a file server named fileserver1.corp.net. On
the file server, users store confidential data. You need to secure the
condential data on the server. You decide to use Encrypting File System [EFS]
to encrypt the data on the file server, but you are concerned about the loss of
accessibility if the users' EFS certificates become corrupt. You decide to create
a local EFS Data Recovery Agent. What should you do?
Use the gpupdate /force command.
Use the secedit command.
Use the netsh command.
Use the cipher command.
Your network contains an Active Directory Domain Services domain named example.com. A Microsoft
Windows Server 2012 server named Server1 is joined to the domain and has the Network Policy and Access
Services role installed. You need to set up a new connection request policy for incoming wireless clients on
your Network Policy Server [NPS]. The current network policy requires the use of Extensible Authentication
Protocol-Transport Layer Security [EAP-TLS]. You create a new connection request policy named
AllowAccess1 that is configured to Allow clients to connect without negotiating an authentication method.
AllowAccess1 is then applied to the NPS relying on the network policy to authenticate the clients connecting
to the network. You later find out that clients are gaining access to the network without being
authenticated. You need to ensure that the clients authenticate with the network connection request
policy that requires EAP-TLS and not use the AllowAccess1 policy authentication. What should you do?
Remove the AllowAccess1 connection policy that allows unauthenticated access.
Move the network connection request policy that requires EAP-TLS above the AllowAccess1policy.
Delete both the network connection request policy and the AllowAccess1 policy and create a new
connection request policy that combines the previous network connection request policy and the settings in
AllowAccess1.
Move the network connection request policy that requires EAP-TLS policy below the AllowAccess1 policy.
Your network contains multiple computers running Microsoft Windows Server

2012. The computers are configured as file sewers. The IT support staff is
responsible for the management of the file sewers. Sometimes they copy files
to and from the sewers onto USB sticks. You need to make sure that the USB
sticks are secure. You create a Group Policy object [GPO] on the domain that
applies to all the File Servers. What should you do?
Configure settings for Removable Data Drives.
Configure settings for Operating System Drives. Configure settings for
Encrypting File System.
Configure settings for Fixed Data Drives.
Set Managed to Yes.

You should set Managed to Yes. GPO settings can be divided into two groups: Managed and
Unmanaged. Managed settings are settings that will be removed if the computer or user falls out
of the scope of management [if it is removed to another location where the GPO no longer
applies]. Unmanaged settings are settings that will remain configured until you change the
settings. You should not set Configured to Yes. The filter option Configured is only used to filter
out settings that have actually been configured. You should not set Commented to Yes. The filter
option Commented is used to search the GPO for settings with comments configured. You should
not Enable Keyword Filter. Keyword filters are used to filter out GPO settings that match a
certain search criteria. You should not Enable Requirements Filters. Requirements filters are
used to filter out GPO settings that need some sort of further configuration to be made in order to
function.
Edit the properties for the Windows 8 Laptop image to only allow read permission for the users in the Sales
DU and only allow installation on laptops.
You should edit the properties for the Windows 8 Laptop image. In the properties for the image, there are
two functions to control which image can be installed on what hardware and who can install it. The Filters
function allows for the control of chassis type, in this case it should be set to Laptop, and the User
Permissions can be used to control which users can install the image, in this case the users in the Sales DU.
You should not edit the security settings for ImageGroup1. The security settings on ImageGroup1 will only
control users' permissions on that image group. It will not control the type of computer to which the image
should apply. So in this case, there will be no control if the image is applied onto Laptops or Desktops. You
should not create Active Directory Prestaged Devices. Although this will allow you to control which users are
able to install the image, it does not allow for the control of the type of computer to which the image can be
applied. You should not move the Windows 8 Laptop image. Moving the image to a different image group
will not allow for the control of the type of computer to which the image can be applied. Image groups are
only used to group images together for administrative purposes and for the delegation of installation
permissions.
Use the cipher command.

You should use the cipher command. Running the cipher command with the /r switch will create
a local EFS Data Recovery Agent Certificate. After running the command, you need to use local
Group Policies to define the EFS Data Recovery Agent using the certificate generated by the cipher
command. You should not use the secedit command. The secedit command is used to analyze or
configure local security policies, and, although EFS is part of the security policies, this command
cannot be used to create the EFS Data Recovery Agent certificate needed. You should not run the
gpupdate/force command. The gpupdate /force command is used to force an update of Group
Policies, and although you can define an EFS Data Recovery Agent in Group Policies, the
command cannot be used to create the EFS Data Recovery Agent certificate needed. You should
not use the netsh command. The netsh command is used to configure network related settings
such as network adapters. The command cannot be used to create the EFS Data Recovery Agent
certificate needed.
Remove the AllowAccess1 connection policy that allows unauthenticated access.

You should remove the AllowAccess1 connection policy that allows unauthenticated access. Connection
request policies can allow you to override the authentication settings that are configured in all network
policies. However, if you configure an authentication method in a connection request policy that is less
secure than the authentication method configured in the network policy, the more secure authentication
method configured in the network policy will be overridden. You should not move the network connection
request policy that requires EAP-T LS above the AllowAccess1 policy or move the network connection request
policy that requires EAP-T LS policy below the .AllowAccess1 policy. Moving policies up or down does not
change the order of the policy that is being applied because one is a network policy and one is a connection
policy. If you have multiple network policies or multiple connection policies, then the order would make a
difference. You should not delete both the network connection request policy and the AllowAccess1 policy
and create a new connection request policy that combines the previous network connection request policy
and the settings in AllowAccess1 because you still need a network connection policy to designate who is
authorized to connect to the network.
Configure settings for Removable Data Drives.

You should configure settings for Removable Data Drives. The GPO settings for Removable Data
Drives can be used to control Bitlocker To Go on the USB sticks. One option is the ability to force
Bitlocker To Go encryption on USB drives. Setting this option will allow the IT support staff to
read from USB sticks, but if they try to write to it, the USB stick must be encrypted with Bitlocker
To Go. You should not configure settings for Fixed Data Drives. The GPO setting for Fixed Data
Drives applies only to Fir-red Data Drives, and as such cannot be used to force encryption on USB
sticks. You should not configure settings for Operating System Drives. The GPO setting for
Operating System Drives only applies to drives with an operating system installed, and as such
cannot be used to force encryption on USB sticks. You should not configure settings for
Encrypting File System [EFS]. The EFS system is used to encrypt files on an NTFS volume, and
although you could format the USB stick with NTFS, there is no policy to enforce encryption on
the USB stick.
Configure an Active Directory-integrated conditional forwarder on DC1.CORP.NET.
Your network contains three Active Directory Domain Services domains - CORP.NET and two
child domains:US.CORP.NET and UK.CORP.NET. The servers are configured as shown in the
exhibit. You need to configure name resolution on all Domain Name System [DNS] servers to
forward all queries for the zone name CORPORATE.NET to DC1.CORP.NET. You must
accomplish the task with the least administrative effort. What should you do?
Configure a forwarder on DC2.CORP.NET, DC3.US.CORP.NET, and DC4.UK.CORP.NET.
Configure a conditional forwarder on all servers.
Configure an Active Directory-integrated conditional forwarder on DC1.CORP.NET.
Configure an Active Directory-integrated conditional forwarder on DC1.CORP.NET,
DC3.US.CORP.NET, and DC4.UK.CORP.NET.
Your network is an Ethernet local area network [LAN]. Client computers run
Microsoft Windows ?. Computers connect to the network using an 802.1 x
authenticating switch. You need to ensure that client computers can only
access two servers if they are not running anti-virus software. What should
you do? [Each correct answer presents part of the solution. Choose two.]
Convert the network from a wired LAN to a wireless network.
Add each client computer as a RADIUS client.
Install Network Policy Server [NPS] as a Routing and Remote Access server.
Install Network Policy Server [NPS] as a Remote Authentication Dial-In User
Service [RADIUS] server.
Add each 802.1x authenticating switch as a RADIUS client.
You should configure an Active Directory-integrated conditional forwarder on DC1 .CORP.NET. You need to
configure a conditional forwarder because you only want to forward name queries for CORPORATE.NET.
Furthermore, you only need to configure it on one DNS server because they are all domain controllers. You
can use the Replicate to all DNS servers in the forest option in conditional forwarders. You should not
configure a conditional forwarder on all servers. Although this would work, for configuring conditional
forwarders on all servers, the effort is much greater than just creating it on one server and having it replicate
to the others. You should not configure an Active Directory-integrated conditional forwarder on
DC1.CORP.NET, DC3.US.CORP.NET, and DC4.UK.CORP.NET. There is no need to configure a conditional
forwarder in each domain. When you create the conditional forwarder, you have the option to Replicate to
all DNS servers in the forest by using this option. You only need to configure the conditional forwarder once.
You should not configure a forwarder on DC2.CORP.NET, DC3.US.CORP.NET, and DC4.UK.CORP.NET.
You need to create a conditional forwarder, not a normal forwarder. A forwarder forwards all name queries
that the local DNS server is unable to resolve to DC1.CORP.NET and not only name queries for
CORPORATE.NET, as required.
Install Network Policy Server [NPS] as a Remote Authentication Dial-In User Service [RADIUS] server.
Add each 802.1x authenticating switch as a RADIUS client
You should install NPS as a RADIUS server. A RADIUS server is used to define policies that allow or deny
access to the network. With NPS, you can define system health requirements and allow the computer
access, allow the computer limited access, or deny the computer access to the network based on these
requirements. You should add each 802.1x authenticating switch as a RADIUS client. The 802.1x
authenticating switch can act as a RADIUS client. When it does, it passes on client computer requests for
authentication to RADIUS, which then uses defined policies to determine access. You should not add each
client computer as a RADIUS client. You can add an 802.1x authenticating switch, a wireless access point, a
virtual private network [VPN] server, or other network access point as a RADIUS client. You do not add
client computers as RADIUS clients. You should not install NPS as a Routing and Remote Access server. You
use Routing and Remote Access to provide VPN or dial-up access, not to provide access to the network by
wired clients. You should not convert the network from a wired LAN to a wireless network. 802.1x
authenticating switches can be added as RADIUS clients to allow NPS policies to be applied. NPS is not
limited to authenticating wireless clients.

70 411

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

70 411

Uploaded by

Copyright:

Available Formats

Remote users connect to your network through a virtual private network [VPN] connection over

Which three Network Policy Sewer [NPS]

The client computer has current antivirus updates installed.

Permits remote users running Microsoft Windows 7 or Windows 8

SHA unable to contact required services

Press F6 to activate the setting in Preferences.

Install DNS on the DC and configure Secure Only updates.

Use the compact option in Ntdsutil.

The Group Policy Management Console

Run the New Registry Wizard to configure the key.

Run Group Policy Modeling.

Link the Desktop Settings GPO to the New Yolk Sales DU

Create a Shadow Group.

Change the Installation user interface options to Basic.

Active Directory Sites and Services

Decrease the Time To Live [TTL] on the web servers' records.

Use the PowerShell cmdlet Set-GPLink.

Configure slow link detection.

Configure scavenging on the DNS servers.

Configure Notification on the corp.net zone.

Add the DC to the Cloneable Domain Controllers security group.

In the location c:\windows\sysvol\sysvol\corp.net\policies

Delete the .[root] Forward Lookup Zone.

Create a Shared Printer using the Create action.

Change the preference value for mai|3.corp.net to 5.

You have developed an application that will be installed on a computer

Your company consists of several Active Directory Domain Services domains

A connection point object

Configure account lockout duration.

Use dsmgmt.exe to assign the permissions.

Install the Client Side Extensions on the affected computers.

Implement DFS Replication [DFSR] on each branch office server.

Your company wants to enforce client health via Dynamic Host

NPS configuration wizard

Secure Socket Tunneling Protocol [SSTP]

Create a network policy.

Your network contains a computer running Microsoft Windows 2012. The

On the WSUS server, run wsusutil movecontent

On the computer, run the command wuauclt /detectnow

Synchronize the WSUS server.

Your network contains a computer running Microsoft Windows Server 2012.

Your network contains a computer running the Microsoft Windows

Install Microsoft Report Viewer 2008

Change the Transfer Settings.

Your network contains an Active Directory Domain Services domain named

Your network contains multiple computers running Microsoft Windows Server

Set Managed to Yes.

Use the cipher command.

Remove the AllowAccess1 connection policy that allows unauthenticated access.

Configure settings for Removable Data Drives.

Configure an Active Directory-integrated conditional forwarder on DC1.CORP.NET.

You might also like