[2021-New] Microsoft 70-410 Dumps With Update Exam Questions (11-20)

70-410 Dumps

70-410 Exam Questions - Online Test

70-410 Premium VCE File

Learn More 100% Pass Guarantee - Dumps Verified - Instant Download
150 Lectures, 20 Hours

Q1. - (Topic 3)

Your network contains an Active Directory forest named adatum.com. The forest contains a child domain named asia.adatum.com. The asia.adatum.com child domain contains a server named DHCP1 that runs Windows Server 2012 R2.

You install the DHCP Server server role on DHCP1.

You have access to the administrative accounts shown in the following table.

You need to authorize DHCP1.

Which user account should you use?

A. Admin1

B. Admin2

C. Admin3

D. Admin4

Answer: B

Q2. - (Topic 3)

You work as an administrator at Contoso.com. The Contoso.com network consists of a single domain named Contoso.com. All servers on the Contoso.com network have Windows Server 2012 installed.

You have received instructions to install the Remote Desktop Services server role on a server, named ENSUREPASS-SR07. You want to achieve this remotely from a server, named ENSUREPASS-SR06.

Which of the following actions should you take?

A. You should consider accessing the Server Manager console on ENSUREPASS-SR07.

B. You should consider accessing the Server Manager console on ENSUREPASS-SR06.

C. You should consider accessing the TS Manager console on ENSUREPASS-SR07

D. You should consider accessing the TS Manager console on ENSUREPASS-SR06.

Answer: B

Q3. HOTSPOT - (Topic 3)

You have a server named Server1 that runs Windows Server 2012 R2.

Several users are members of the local Administrators group.

You need to ensure that all local administrators receive User Account Control (UAC)

prompts when they run a Microsoft Management Console (MMC).

Which settings should you modify from the Local Security Policy? To answer, select the

appropriate settings in the answer area.

Answer:

Q4. - (Topic 1)

Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. All servers run Windows Server 2012 R2. The domain contains two domain controllers named DC1 and DC2. Both domain controllers are virtual machines on a Hyper-V host.

You plan to create a cloned domain controller named DC3 from an image of DC1.

You need to ensure that you can clone DC1.

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

A. Add the computer account of DC1 to the Cloneable Domain Controllers group.

B. Create a DCCloneConfig.xml file on DC1.

C. Add the computer account of DC3 to the Cloneable Domain Controllers group.

D. Run the Enable-AdOptionalFeaturecmdlet.

E. Modify the contents of the DefaultDCCIoneAllowList.xml file on DC1.

Answer: A,B

Explanation:

A. Cloneable Domain Controllers Group There’s a new group in town. It’s called Cloneable Domain Controllers and you can find it in the Users container. Membership in this group dictates whether a DC can or cannot be cloned. This group has some permissions set on the domain head that should not be removed. Removing these permissions will cause cloning to fail. Also, as a best practice, DCs shouldn’t be added to the group until you plan to clone and DCs should be removed from the group once cloning is complete. Cloned DCs will also end up in the Cloneable Domain Controllers group.

B. DCCloneConfig.xml There’s one key difference between a cloned DC and a DC that is being restored to a previous snapshot: DCCloneConfig.XML. DCCloneConfig.xml is an XML configuration file that contains all of the settings the cloned DC will take when it boots. This includes network settings, DNS, WINS, AD site name, new DC name and more. This file can be generated in a few different ways. The New-ADDCCloneConfigcmdlet in PowerShell By hand with an XML editor By editing an existing config file, again with an XML editor.

Reference: Virtual Domain Controller Cloning in Windows Server 2012.

Q5. DRAG DROP - (Topic 2)

Your network contains an Active Directory domain named contoso.com. All servers run

Windows Server 2012 R2.All client computers run Windows 8.

The domain contains a security group named Group1.

You have a Group Policy object (GPO) named GPO1.GPO1 is linked to the domain.

You need to ensure that only the members of Group1 can run the applications shown in the

following table.

Which type of application control policy should you implement for each application?

To answer, drag the appropriate rule types to the correct applications. Each rule type may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Answer:

Q6. - (Topic 3)

RODC comes with a number of features that focus on heightened security with limited functionality to remote office users. Which of the following are features of RODC?

A. Filtered Attribute Sets

B. Read-Only DNS

C. Unidirectional Replication

D. All of these

Answer: A

Q7. - (Topic 3)

Your network contains an Active Directory domain named contoso.com. The network contains a domain controller named DC1 that has the DNS Server server role installed. DC1 has a standard primary DNS zone for contoso.com.

You need to ensure that only client computers in the contoso.com domain will be able to add their records to the contoso.com zone.

What should you do first?

A. Sign the contoso.com zone.

B. Modify the Security settings of DC1.

C. Modify the Security settings of the contoso.com zone.

D. Store the contoso.com zone in Active Directory.

Answer: D

Explanation:

Only Authenticated users can create records when zone is stored in AD.

Secure dynamic updates allow an administrator to control what computers update what

names and prevent unauthorized computers from overwriting existing names in DNS.

References:

Training Guide: Installing and Configuring Windows Server 2012 R2: Chapter 6: Network

Administration, Lesson 2: Implementing DNSSEC, p. 237

http://technet.microsoft.com/en-us/library/cc731204(v=ws.10).aspx

http://technet.microsoft.com/en-us/library/cc755193.aspx

Q8. - (Topic 3)

Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1. Server1 runs Windows Server 2012 R2.

You need to create 3-TB virtual hard disk (VHD) on Server1.

Which tool should you use?

A. New-StorageSubsytemVirtualDisk

B. File Server Resource Manager (FSRM)

C. Server Manager

D. Computer Management

Answer: A

Explanation:

For other questions to create a VHD (file) you can use computer management.

-Share and storage management (2008 only)

-New-storagesubsystemVirtualDisk (this is a virtual disk, NOT a virtual hard disk)

-Server Manager (you would use this to create virtual disks, not virtual hard disks)

Q9. DRAG DROP - (Topic 3)

You have a print server named Server1Server1 runs Windows Server 2008 R2. You have a file server named Server2. Server2 runs Windows Server 2012 R2.

You need to migrate all of the printers on Server1 to Server2.

Which actions should you perform on the servers?

To answer, drag the appropriate action to the correct servers in the answer area. Each action may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Answer:

Q10. - (Topic 2)

Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2.Client computers run either Windows 7 or Windows 8.

All of the computer accounts of the client computers reside in an organizational unit (OU) named Clients. A Group Policy object (GPO) named GPO1 is linked to the Clients OU. All of the client computers use a DNS server named Server1.

You configure a server named Server2 as an ISATAP router. You add a host (A) record for ISATAP to the contoso.com DNS zone.

You need to ensure that the client computers locate the ISATAP router.

What should you do?

A. Run the Set-DnsServerGlobalQueryBlockList cmdlet on Server1.

B. Configure the Network Options Group Policy preference of GPO1.

C. Run the Add-DnsServerResourceRecord cmdlet on Server1.

D. Configure the DNS Client Group Policy setting of GPO1.

Answer: A

Explanation:

The Set-DnsServerGlobalQueryBlockList command will change the settings of a global query block list which you can use to ensure that client computers locate the ISATAP router.

Windows Server 2008 introduced a new feature, called “Global Query Block list”, which prevents some arbitrary machine from registering the DNS name of WPAD. This is a good security feature, as it prevents someone from just joining your network, and setting himself up as a proxy. The dynamic update feature of Domain Name System (DNS) makes it possible for DNS client computers to register and dynamically update their resource records with a DNS server whenever a client changes its network address or host name. This reduces the need for manual administration of zone records. This convenience comes at a cost, however, because any authorized client can register any unused host name, even a host name that might have special significance for certain Applications. This can allow a malicious user to take over a special name and divert certain types of network traffic to that user’s computer. Two commonly deployed protocols are particularly vulnerable to this type of takeover: the Web Proxy Automatic Discovery Protocol (WPAD) and the Intra-site Automatic Tunnel Addressing Protocol (ISATAP). Even if a network does not deploy these protocols, clients that are configured to use them are vulnerable to the takeover that DNS dynamic update enables. Most commonly, ISATAP hosts construct their PRLs by using DNS to locate a host named isatap on the local domain. For example, if the local domain is corp.contoso.com, an ISATAP-enabled host queries DNS to obtain the IPv4 address of a host named isatap.corp.contoso.com. In its default configuration, the Windows Server 2008 DNS Server service maintains a list of names that, in effect, it ignores when it receives a query to resolve the name in any zone for which the server is authoritative. Consequently, a malicious user can spoof an ISATAP router in much the same way as a malicious user can spoof a WPAD server: A malicious user can use dynamic update to register the user’s own computer as a counterfeit ISATAP router and then divert traffic between ISATAP-enabled computers on the network. The initial contents of the block list depend on whether WPAD or ISATAP is already deployed when you add the DNS server role to an existing Windows Server 2008 deployment or when you upgrade an earlier version of Windows Server running the DNS Server service. Add-DnsServerResourceRecord – The Add-DnsServerResourceRecordcmdlet adds a resource record for a Domain Name System (DNS) zone on a DNS server. You can add different types of resource records. Use different switches for different record types. By using this cmdlet, you can change a value for a record, configure whether a record has a time stamp, whether any authenticated user can update a record with the same owner name, and change lookup timeout values, Windows Internet Name Service (WINS) cache settings, and replication settings. Set-DnsServerGlobalQueryBlockList – The Set-DnsServerGlobalQueryBlockListcmdlet changes settings of a global query block list on a Domain Name System (DNS) server. This cmdlet replaces all names in the list of names that the DNS server does not resolve with the names that you specify. If you need the DNS server to resolve names such as ISATAP and WPAD, remove these names from the list. Web Proxy Automatic Discovery Protocol (WPAD) and Intra-site Automatic Tunnel Addressing Protocol (ISATAP) are two commonly deployed protocols that are particularly vulnerable to hijacking.

References: Training Guide: Installing and Configuring Windows Server 2012 R2, Chapter 4: Deploying domain controllers, Lesson 4: Configuring IPv6/IPv4 Interoperability, p. 254-256 http://technet.microsoft.com/en-us/library/jj649942(v=wps.620).aspx http://technet.microsoft.com/en-us/library/jj649876(v=wps.620).aspx http://technet.microsoft.com/en-us/library/jj649874.aspx http://technet.microsoft.com/en-us/library/jj649909.aspx