Q1. - (Topic 3)
Your network contains an Active Directory domain named contoso.com. The domain contains two domain controllers.
The domain controllers are configured as shown in the following table.
In the perimeter network, you install a new server named Server1 that runs Windows Server 2012 R2. Server1 is in a workgroup.
You need to perform an offline domain join of Server1 to the contoso.com domain.
What should you do first?
A. Transfer the PDC emulator role to Dc1.
B. Run the djoin.exe command.
C. Run the dsadd.exe command.
D. Transfer the infrastructure master role to DC1.
Answer: B
Explanation:
A. Creates a new Active Directory computer.
B. Use djoin for offline join in the perimeter network
C. Adds specific types of objects to the directory.
D. Add the local computer to a domain or workgroup.
Q2. - (Topic 3)
Your network contains an Active Directory domain named contoso.com. All user accounts in the sales department reside in an organizational unit (OU) named OU1.
You have a Group Policy object (GPO) named GPO1. GPO1 is used to deploy a logon script to all of the users in the sales department.
You discover that the logon script does not run when the sales users log on to their computers. You open Group Policy Management as shown in the exhibit.
You need to ensure that the logon script in GPO1 is applied to the sales users. What should you do?
A. Enforce GPO1.
B. Modify the link order of GPO1.
C. Modify the Delegation settings of GPO1.
D. Enable the link of GPO1.
Answer: D
Q3. - (Topic 3)
Your network contains an Active Directory domain named contoso.com. The domain
contains two servers named Server1 and Server2 that run Windows Server 2012 R2.
You create a security template named Template1 by using the Security Templates snap-in.
You need to apply Template1 to Server2.
Which tool should you use?
A. Authorization Manager
B. Local Security Policy
C. Certificate Templates
D. System Configuration
Answer: B
Explanation:
A security policy is a combination of security settings that affect the security on a computer. You can use your local security policy to edit account policies and local policies on your local computer.
Q4. - (Topic 2)
Your network contains an Active Directory domain named contoso.com. The domain
contains a server named Server1.Server1 runs Windows Server 2012 R2.
You create a group Managed Service Account named gservice1.
You need to configure a service named Service1 to run as the gservice1 account.
How should you configure Service1?
A. From the Services console, configure the General settings.
B. From Windows PowerShell, run Set-Service and specify the -StartupType parameter.
C. From a command prompt, run sc.exe and specify the config parameter.
D. From a command prompt, run sc.exe and specify the privs parameter.
Answer: C
Explanation:
Executing the ss.exe command with the config parameter will modify service configuration.
Topic 3, Volume C
Q5. - (Topic 2)
You have a server named Server1 that runs Windows Server 2012 R2. You add a 4-TB disk named Disk 5 to Server1.
You need to ensure that you can create a 3-TB volume on Disk 5.
What should you do?
A. Create a storage pool.
B. Convert the disk to a dynamic disk
C. Create a VHD, and then attach the VHD.
D. Convert the disk to a GPT disk.
Answer: D
Explanation:
MBR max is 2TB, the disk must be GPT For any hard drive over 2TB, we need to use GPT partition. If you have a disk larger than 2TB size, the rest of the disk space will not be used unless you convert it to GPT. An existing MBR partition can’t be converted to GPT unless it is completely empty; you must either delete everything and convert or create the partition as GPT. It is not possible to boot to a GPT partition, impossible to convert MBR to GPT without data loss.
Q6. - (Topic 1)
Your network contains an Active Directory domain named contoso.com. The domain contains 100 user accounts that reside in an organizational unit (OU) named OU1.
You need to ensure that a user named User1 can link and unlink Group Policy objects (GPOs) to OU1. The solution must minimize the number of permissions assigned to User1.
What should you do?
A. Run the Delegation of Control Wizard on OU1.
B. Add User1 to the Group Policy Creator Owners group.
C. Modify the permission on the \\Contoso.com\SYSVOL\Contoso.com\Policies folder.
D. Modify the permissions on the User1 account.
Answer: A
Explanation:
The Delegation of Control Wizard allows you to delegate tasks, active Directory Object types and to set permissions.
Q7. - (Topic 3)
Your network contains one Active Directory forest named contoso.com. The forest contains a single domain. All domain controllers run Windows Server 2012 R2.
You need to modify the membership of a group named Group1 to include two users named User1 and User2.
What command should you run? To answer, select the appropriate options in the answer area.
Select three.
A. Use command Add-GroupMember
B. Use command Add-ADGroupMember
C. As first parameter use Group1
D. As first parameter use User1, User2
E. As first parameter use {User1, User2}
F. As second parameter use Group1
G. As second parameter use User1, User2
H. As second parameter use {User1, User2}
Answer: B,C,G
Q8. - (Topic 3)
Your network contains an Active Directory domain named contoso.com. The network contains a member server named Server1 that runs Windows Server 2012 R2. Server1 has the DNS Server server role installed and has a primary zone for contoso.com. The Active Directory domain contains 500 client computers. There are an additional 20 computers in a workgroup. You discover that every client computer on the network can add its record to the contoso.com zone.
You need to ensure that only the client computers in the Active Directory domain can register records in the contoso.com zone.
What should you do first?
A. Move the contoso.com zone to a domain controller that is configured as a DNS server
B. Configure the Dynamic updates settings of the contoso.com zone
C. Sign the contoso.com zone by using DNSSEC
D. Configure the Security settings of the contoso.com zone.
Answer: A
Explanation:
If you install DNS server on a non-DC, then you are not able to create AD-integrated zones. DNS update security is available only for zones that are integrated into AD DS. When you directory- integrate a zone, access control list (ACL) editing features are available in DNS Managerso that you can add or remove users or groups from the ACL for a specified zone or resource record.
1. Active Directory’s DNS Domain Name is NOT a single label name (“DOMAIN” vs. the minimal requirement of”domain.com.” “domain.local”, etc.).
2. The Primary DNS Suffix MUST match the zone name that is allowing updates. Otherwise the client doesn’t know what zone name to register in. You can also have a different Conneciton Specific Suffix in addition to the Primary DNS Suffix to register into that zone as well.
3. AD/DNS zone MUST be configured to allow dynamic updates, whether Secure or Secure and Non-Secure. For client machines, if a client is not joined to the domain, and the zone is set to Secure, it will not register either.
4. You must ONLY use the DNS servers that host a copy of the AD zone name or have a reference to get to them. Do not use your ISP’s, an external DNS address, your router as a DNS address, or any other DNS that does not have a copy of the AD zone. Internet resolution for your machines will be accomplished by the Rootservers (Root Hints), however it’s recommended to configure a forwarder for efficient Internet resolution.
5. The domain controller is multihomed (which means it has more than one unteamed, active NIC, more than one IP address, and/or RRAS is installed on the DC).
6. The DNS addresses configured in the client’s IP properties must ONLY reference the DNS server(s) hosting the AD zone you want to update in. This means that you must NOT use an external DNS in any machine’s IP property in an AD environment. You can’t mix them either. That’s because of the way the DNS Client side resolver service works. Even if you mix up internal DNS and ISP’s DNS addresses, the resolver algorithm can still have trouble asking the correct DNS server. It will ask the first one first. If it doesn’t get a response, it removes the first one from the eligible resolvers list and goes to the next in the list. It will not go back to the first one unless you restart the machine, restart the DNS Client service, or set a registry entry to cut the query TTL to 0. The rule is to ONLY use your internal DNS server(s) and configure a forwarder to your ISP’s DNS for efficient Internet resolution. This is the reg entry to cut the query to 0 TTL: The DNS Client service does not revert to using the first server. The Windows 2000 Domain Name System (DNS) Client service (DNS cache) follows a certain algorithm when it decides the order in which to use the DNS servers. http://support.microsoft.com/kb/286834 For more info, please read the following on the client side resolver service: DNS, WINS NetBIOS & the Client Side Resolver, Browser Service, Disabling NetBIOS, Direct Hosted SMB (Direct SMB), If One DC is Down Does a Client logon to Another DC, and DNS Forwarders Algorithm if you have multiple forwarders.
http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-clientside- resolverbrowserservice-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-isdown-does-a- client-logon-toanother-dcand-dns-forwarders-algorithm.aspx
7. For DHCP clients, DHCP Option 006 for the clients are set to the same DNS server.
8. If using DHCP, DHCP server must only be referencing the same exact DNS server(s) in
its own IP properties in order for it to ‘force’ (if you set that setting) registration into DNS.
Otherwise, how would it know which DNS to send the reg data to?
9. If the AD DNS Domain name is a single label name, such as “EXAMPLE”, and not the
proper format of ”example.com” and/or any child of that format, such as
“child1.example.com”, then we have a real big problem.
DNS will not allow registration into a single label domain name.
This is for two reasons:
1. It’s not the proper hierarchal format. DNS is hierarchal, but a single label name has no
hierarchy. It’s just a single name.
2. Registration attempts cause major Internet queries to the Root servers. Why? Because it
thinks the single label name, such as “EXAMPLE”, is a TLD (Top Level Domain), such as
“com”, “net”, etc. It will now try to find what Root name server out there handles that TLD.
In the end it comes back to itself and then attempts to register. Unfortunately it does NOT
ask itself first for the mere reason it thinks it’s a TLD. (Quoted from Alan Woods, Microsoft,
2004):
“Due to this excessive Root query traffic, which ISC found from a study that discovered
Microsoft DNS servers are causing excessive traffic because of single label names,
Microsoft, being an internet friendly neighbor and wanting to stop this problem for their
neighbors, stopped the ability to register into DNS with Windows 2000SP4, XP SP1,
(especially XP, which cause lookup problems too), and Windows 2003. After all, DNS is
hierarchal, so therefore why even allow single label DNS domain names?” The above also
*especially* applies to Windows Vista, 7, 2008, 2008 R2, and newer.
10. ‘Register this connection’s address” on the client is not enabled under the NIC’s IP
properties, DNS tab.
11. Maybe there’s a GPO set to force Secure updates and the machine isn’t a joined
member of the domain.
12. ON 2000, 2003 and XP, the “DHCP client” Service not running. In 2008/Vista and
newer, it’s the DNS Client Service. This is a requirement for DNS registration and DNS
resolution even if the client is not actually using DHCP.
13. You can also configure DHCP to force register clients for you, as well as keep the DNS
zone clean of old or duplicate entries. See the link I posted in my previous post.
Q9. - (Topic 2)
Your network contains several servers that run Windows Server 2012 R2 and client computers that run Windows 8.1.
You download several signed Windows PowerShell scripts from the Internet.
You need to run the PowerShell scripts on all of the servers and all of the client computers.
What should you modify first?
A. The environment variables on all of the servers
B. The execution policy on all of the servers
C. The execution policy on all of the client computers
D. The environment variables on all client computers
Answer: C
Explanation:
The default execution policy of Windows Server 2012 is RemoteSigned meaning that as long as a valid signature is used on the scripts, they will run. However, the client computers have a default execution policy of restricted meaning that no scripts will run in PowerShell whatsoever, so this would have to be changed before the scripts could be executed on the client computers.
Q10. - (Topic 2)
Your network contains a file server named Server1 that runs Windows Server 2012 R2.All client computers run Windows 8.
You need to ensure that when users are connected to the network, they always use local offline files that are cached from Server1.
Which Group Policy setting should you configure?
A. Configure slow-link mode.
B. Configure Slow link speed
C. Enable file synchronization on costed networks
D. Turn on economical application of Administratively assigned Offline Files.
Answer: A
Explanation:
A. Offline Files to provide faster access to cached files and redirected folders.
B. Defines a slow connection for purposes of Applying and updating Group Policy.
C. automatically tracks roaming and bandwidth usage limits while on metered connections
D. Lists network files and folders that are always available for offline use. This policy makes the specified files and folders available offline to users of the computer. When Offline Files is operating in the slow-link mode, all network file requests are satisfied from the OfflineFiles cache. This is similar to a user working offline. If you enable this policy setting, Offline Files uses the slow-link mode if the network throughput between the client and the server is below (slower than) the Throughput threshold parameter, or if the round-trip network latency is above (slower than) the Latency threshold parameter.