Q1. HOTSPOT
Your network contains one Active Directory domain.
The domain contains an enterprise certification authority (CA).
You need to ensure that members of a group named Group1 can issue certificates for the
User certificate template only.
Which two tabs should you use to perform the configuration? To answer, select the
appropriate tabs in the answer area.
Answer:
Q2. You have an Active Directory Rights Management Services (AD RMS) cluster.
You need to prevent users from encrypting new content. The solution must ensure that the users can continue to decrypt content that was encrypted already.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. From the Active Directory Rights Management Services console, enable decommissioning.
B. From the Active Directory Rights Management Services console, create a user exclusion policy.
C. Modify the NTFS permissions of %systemdrive%\inetpub\wwwroot\_wmcs\licensing.
D. Modify the NTFS permissions of %systemdrive%\inetpub\wwwroot\_wmcs\decommission.
E. From the Active Directory Rights Management Services console, modify the rights policy templates.
Answer: A,D
Explanation:
* Decommissioning refers to the entire process of removing the AD RMS cluster and its
associated databases from an organization. This process allows you to save rights-
protected files as ordinary files before you remove AD RMS from your infrastructure so that
you do not lose access to these files.
Decommissioning an AD RMS cluster is achieved by doing the following:
/ Enable the decommissioning service. (A)
/ Modify permissions on the decommissioning pipeline.
/ Configure the AD RMS-enabled application to use the decommissioning pipeline.
* To modify the permissions on the decommissioning pipeline
1. Log on to ADRMS-SRV as cpandl\administrator.
2. Click Start, type %systemdrive%\inetpub\wwwroot\_wmcs in the Start Search box, and
then press ENTER.
3. Right-click the decommission folder, and then click Properties.
4. Click the Security tab, click Edit, and then click Add. (D)
Etc.
Reference: Step 1: Decommission AD RMS Root Cluster
Q3. You have a server named Server1 that runs Windows Server 2012 R2.
Each day, Server1 is backed up fully to an external disk.
On Server1, the disk that contains the operating system fails.
You replace the failed disk.
You need to perform a bare-metal recovery of Server1 by using the Windows Recovery
Environment (Windows RE).
What should you use?
A. The Wbadmin.exe command
B. The Repair-bde.exe command
C. The Get-WBBareMetalRecovery cmdlet
D. The Start-WBVolumeRecovery cmdlet
Answer: A
Explanation:
Wbadmin enables you to back up and restore your operating system, volumes, files, folders, and applications from a command prompt.
Wbadmin start sysrecovery runs a recovery of the full system (at least all the volumes that contain the operating system's state). This subcommand is only available if you are using the Windows Recovery Environment.
* Wbadmin start sysrecovery -backupTarget Specifies the storage location that contains the backup or backups that you want to recover. This parameter is useful when the storage location is different from where backups of this computer
Incorrect:
Not B. Accesses encrypted data on a severely damaged hard disk if the drive was
encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and
salvage recoverable data as long as a valid recovery password or recovery key is used to
decrypt the data.
Not C. Gets the value that indicates whether the ability to perform bare metal recoveries
from backups has been added to the backup policy (WBPolicy object).
Not D. Starts a volume recovery operation.
Reference: Wbadmin start sysrecovery
http://technet.microsoft.com/en-us/library/cc742118.aspx
Q4. Your network contains two Active Directory forests named contoso.com and corp.contoso.com.
User1 is a member of the DnsAdmins domain local group in contoso.com.
User1 attempts to create a conditional forwarder to corp.contoso.com but receive an error message shown in the exhibit. (Click the Exhibit button.)
You need to configure bi-directional name resolution between the two forests.
What should you do first?
A. Add User1 to the DnsUpdateProxy group.
B. Configure the zone to be Active Directory-integrated.
C. Enable the Advanced view from DNS Manager.
D. Run the New Delegation Wizard.
Answer: B
Explanation:
The zone must be Active Directory-integrated.
Q5. You have a DNS server named Server1 that runs Windows Server 2012 R2. Server1 has the zones shown in the following output.
You need to delegate permissions to modify the records in the adatum.com zone to a group named Group1.
What should you do first?
A. Enable the distribution of the trust anchors for adatum.com.
B. Unsign adatum.com.
C. Store adatum.com in Active Directory.
D. Update the server data file for adatum.com.
Answer: A
Explanation: From the exhibit we see that the adatum.com zone is signed.
A trust anchor (or trust “point”) is a public cryptographic key for a signed zone. Trust
anchors must be configured on every non-authoritative DNS server that will attempt to
validate DNS data. You cannot distribute trust anchors until after a zone is signed.
Reference: Trust Anchors
https://technet.microsoft.com/en-us/library/dn593672.aspx
Q6. Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. The domain contains two domain controllers.
The domain controllers are configured as shown in the following table.
You configure a user named User1 as a delegated administrator of DC10.
You need to ensure that User1 can log on to DC10 if the network link between the Main site and the Branch site fails.
What should you do?
A. Add User1 to the Domain Admins group.
B. On DC10, modify the User Rights Assignment in Local Policies.
C. Run repadmin and specify the /prp parameter.
D. On DC10, run ntdsutil and configure the settings in the Roles context.
Answer: C
Explanation:
repadmin /prp will allow the password caching of the local administrator to the RODC.
This command lists and modifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs). Reference: RODC Administration https://technet.microsoft.com/en-us/library/cc755310%28v=ws.10%29.aspx
Q7. Your network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2. All servers run Windows Server 2012 R2.
Server1 and Server2 have the Failover Clustering feature installed. The servers are configured as nodes in a failover cluster named Guster1. Cluster1 contains a file server role named FS1 and a generic service role named SVC1. Server1 is the preferred node for FS1. Server 2 is the preferred node for SVC1.
You plan to run a disk maintenance tool on the physical disk used by FS1.
You need to ensure that running the disk maintenance tool does not cause a failover to occur.
What should you do before you run the tool?
A. Run Suspend-ClusterResource.
B. Run Suspend-GusterNode.
C. Run cluster.exe and specify the pause parameter.
D. Run cluster.exe and specify the offline parameter.
Answer: D
Q8. DRAG DROP
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2.
You plan to install the Active Directory Federation Services server role on Server1 to allow for Workplace Join.
You run nslookup enterprise registration and you receive the following results:
You need to create a certificate request for Server1 to support the Active Directory Federation Services (AD FS) installation.
How should you configure the certificate request?
To answer, drag the appropriate names to the correct locations. Each name may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Answer:
Q9. You have a server named Server1 that runs Windows Server 2012 R2 and is used for testing.
A developer at your company creates and installs an unsigned kernel-mode driver on Server1. The developer reports that Server1 will no longer start.
You need to ensure that the developer can test the new driver. The solution must minimize the amount of data loss.
Which Advanced Boot Option should you select?
A. Disable Driver Signature Enforcement
B. Disable automatic restart on system failure
C. Last Know Good Configuration (advanced)
D. Repair Your Computer
Answer: A
Explanation:
A. By default, 64-bit versions of Windows Vista and later versions of Windows will load a kernel-mode driver only if the kernel can verify the driver signature. However, this default behavior can be disabled to facilitate early driver development and non-automated testing.
Incorrect:
Not B. specifies that Windows automatically restarts your computer when a failure occurs.
Not C. Developer would not be able to test the driver as needed.
Not D. Removes or repairs critical windows files, Developer would not be able to test the
driver as needed and some file loss.
Reference: Installing Windows Server 2012.
http://technet.microsoft.com/en-us/library/jj134246.aspx
http://msdn.microsoft.com/en-us/library/windows/hardware/ff547565(v=vs.85).aspx
Q10. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server3 that runs Windows Server 2012 R2 and has the DHCP Server server role installed.
DHCP is configured as shown in the exhibit. (Click the Exhibit button.)
Scope1, Scope2, and Scope3 are configured to assign the IP addresses of two DNS servers to DHCP clients. The remaining scopes are NOT configured to assign IP addresses of DNS servers to DHCP clients.
You need to ensure that only Scope1, Scope3, and Scopes assign the IP addresses of the DNS servers to the DHCP clients. The solution must minimize administrative effort.
What should you do?
A. Create a superscope and a filter.
B. Create a superscope and scope-level policies.
C. Configure the Server Options.
D. Configure the Scope Options.
Answer: D
Explanation:
Scope options are applied to any clients that obtain a lease within that particular scope.
Active scope option types always apply to all computers obtaining a lease in a given scope
unless they are overridden by class or reserved client settings for the option type.
Incorrect:
Not A, not B. A superscope allows a DHCP server to provide leases from more than one
scope to clients on a single physical network. It is not applicable here.
Not C. If we configure the Server Options and set the DNS Servers then all DHCP clients
would be assigned a DNS server.
Reference: Managing DHCP Options
https://technet.microsoft.com/en-us/library/cc958929.aspx