Q1. - (Topic 8)
Your network contains an Active Directory domain named contoso.com. The domain contains servers that run either Windows Server 2008 R2 or Windows Server 2012.
All client computers on the internal network are joined to the domain. Some users establish VPN connections to the network by using Windows computers that do not belong to the domain.
All client computers receive IP addresses by using DHCP.
You need to recommend a Network Access Protection (NAP) enforcement method to meet the following requirements:
Verify whether the client computers have up-to-date antivirus software.
Provides a warning to users who have virus definitions that are out-of-date.
Ensure that client computers that have out-of-date virus definitions can connect to the network.
Which NAP enforcement method should you recommend?
A. DHCP
B. IPSec
C. VPN
D. 802.1x
Answer: A
Explanation:
NAP enforcement for DHCP DHCP enforcement is deployed with a DHCP Network Access Protection (NAP) enforcement server component, a DHCP enforcement client component, and Network Policy Server (NPS). Using DHCP enforcement, DHCP servers and NPS can enforce health policy when a computer attempts to lease or renew an IP version 4 (IPv4) address. However, if client computers are configured with a static IP address or are otherwise configured to circumvent the use of DHCP, this enforcement method is not effective.
Note: The NAP health policy server can use a health requirement server to validate the health state of the NAP client or to determine the current version of software or updates that need to be installed on the NAP client.
Reference: NAP Enforcement for DHCP
http://technet.microsoft.com/en-us/library/cc733020(v=ws.10).aspx
Q2. HOTSPOT - (Topic 2)
You need to recommend a configuration for the DHCP infrastructure.
What should you recommend? To answer, select the appropriate options in the answer area.
Answer:
Q3. - (Topic 3)
You need to recommend a remote access solution that meets the VPN requirements.
Which role service should you include in the recommendation?
A. Routing
B. Network Policy Server
C. DirectAccess and VPN (RAS)
D. Host Credential Authorization Protocol
Answer: B
Explanation:
Scenario:
A server that runs Windows Server 2012 will perform RADIUS authentication for all of the
VPN connections.
Ensure that NAP with IPSec enforcement can be configured.
Network Policy Server
Network Policy Server (NPS) allows you to create and enforce organization-wide network
access policies for client health, connection request authentication, and connection request
authorization. In addition, you can use NPS as a Remote Authentication Dial-In User
Service
(RADIUS) proxy to forward connection requests to a server running NPS or other RADIUS
servers that you configure in remote RADIUS server groups.
NPS allows you to centrally configure and manage network access authentication,
authorization, are client health policies with the following three features: RADIUS server.
NPS performs centralized authorization, authorization, and accounting for wireless,
authenticating switch, remote access dial-up and virtual private network (VNP)
connections. When you use NPS as a RADIUS server, you configure network access
servers, such as wireless access points and VPN servers, as RADIUS clients in NPS. You
also configure network policies that NPS uses to authorize connection requests, and you
can configure RADIUS accounting so that NPS logs accounting information to log files on
the local hard disk or in a Microsoft SQL Server database.
Reference: Network Policy Server
Q4. - (Topic 7)
You have an IP Address Management (IPAM) server that runs Windows Server 2012 SP1. You need to integrate the IPAM server with System Center Virtual Machine Manager (SCVMM).
Solution: You create a dedicated user account named IPAM_svc, and add it to the Local Administrators local group on the SO/MM server.
Does this meet the goal?
A. Yes
B. No
Answer: B
Reference: How to integrate IPAM with SCVMM 2012 R2
Q5. - (Topic 1)
You need to recommend a solution for DHCP logging. The solution must meet the technical requirement.
What should you include in the recommendation?
A. Event subscriptions
B. IP Address Management (IPAM)
C. DHCP audit logging
D. DHCP filtering
Answer: B
Explanation: * Scenario: A central log of the IP address leases and the users associated to those leases must be created.
* Feature description IPAM in Windows Server 2012 is a new built-in framework for discovering, monitoring, auditing, and managing the IP address space used on a corporate network. IPAM provides for administration and monitoring of servers running Dynamic Host Configuration Protocol (DHCP) and Domain Name Service (DNS). IPAM includes components for:
. Automatic IP address infrastructure discover)': IPAM discovers domain controllers, DHCP servers, and DNS servers in the domains you choose. You can enable or disable management of these servers by IPAM.
. Custom IP address space display, reporting, and management: The display of IP addresses is highly customizable and detailed tracking and utilization data is available. IPv4 and IPv6 address space is organized into IP address blocks, IP address ranges, and individual IP addresses. IP addresses are assigned built-in or user-defined fields that can be used to further organize IP address space into hierarchical, logical groups.
. Audit of server configuration changes and tracking of IP address usage: Operational events are displayed for the IPAM server and managed DHCP servers. IPAM also enables IP address tracking using DHCP lease events and user logon events collected from Network Policy Server (NPS), domain controllers, and DHCP servers. Tracking is available by IP address, client ID, host name, or user name.
. Monitoring and management of DHCP and DNS services: IPAM enables automated service availability monitoring for Microsoft DHCP and DNS servers across the forest. DNS zone health is displayed, and detailed DHCP server and scope management is available using the IPAM console.
Reference: IP Address Management (IPAM) Overview
Q6. - (Topic 8)
Your network contains an Active Directory domain named contoso.com. The domain contains 10 sites. The sites are located in different cities and connect to each other by using low-latency WAN links.
In each site, you plan to implement Microsoft System Center 2012 Configuration Manager and to deploy multiple servers.
You need to recommend which Configuration Manager component must be deployed to each site for the planned deployment.
What should you include in the recommendation?
More than one answer choice may achieve the goal. Select the BEST answer.
A. A management point
B. A software update point
C. A distribution group point
D. A secondary site server that has all of the Configuration Manager roles installed
Answer: C
Explanation:
Distribution point groups provide a logical grouping of distribution points and collections for content distribution. A Distribution point group is not limited to distribution points from a single site, and can contain one or more distribution points from any site in the hierarchy. When you distribute content to a distribution point group, all distribution points that are members of the
distribution point group receive the content.
Reference: Configuring Distribution Point Groups in Configuration Manager
Q7. - (Topic 8)
Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. The forest functional level is Windows Server 2012.
Your company plans to deploy an application that will provide a search interface to users in the company. The application will query the global catalog for the Employee-Number attribute.
You need to recommend a solution to ensure that the application can retrieve the Employee-Number value from the global catalog.
What should you include in the recommendation?
A. the Dsmod command
B. the Ldifde command
C. the Enable-ADOptionalFeaturecmdlet
D. the Csvde command
Answer: B
Explanation: Ldifde Creates, modifies, and deletes directory objects. You can also use ldifde to extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory Domain Services (AD DS) with data from other directory services. Ldifde -l <LDAPAttributeList> Sets the list of attributes to return in the results of an export query. If you do not specify this parameter, the search returns all attributes.
Incorrect:
Not C:
Optional feature: A non-default behavior that modifies the Active Directory state model.
Q8. - (Topic 3)
You need to recommend a migration strategy for the DHCP servers. The strategy must meet the technical requirements.
Which Windows PowerShell cmdlet should you recommend running on the physical DHCP servers?
A. Import-SmigServerSetting
B. Export-SmigServerSetting
C. Receive-SmigServerData
D. Send-SmigServerData
Answer: B
Explanation: * Scenario: / Main office: One physical DHCP server that runs Windows Server 2008 R2 / each branch office: One physical DHCP server that runs Windows Server 2008 R2 / The IPAM server in the main office gathers data from the DNS servers and the DHCP servers in all of the offices.
* Example:
Command Prompt: C:\PS>
Export-SmigServerSetting -Feature "DHCP" -User All -Group -Path "c:\temp\store" -Verbose
This sample command exports the Dynamic Host Configuration Protocol (DHCP) Server and all other Windows features that are required by DHCP Server.
Q9. DRAG DROP - (Topic 8)
Your network contains an Active Directory domain named contoso.com. The domain contains an IP Address Management (IPAM) server.
You plan to delegate the administration of IPAM as shown in the following table.
You need to recommend which IPAM security group must be used for each department. The solution must minimize the number of permissions assigned to each group.
What should you recommend?
To answer, drag the appropriate group to the correct department in the answer area. Each group may be used once, more than once, or not at all. Additionally, you may need to drag the split bar between panes or scroll to view content.
Answer:
Q10. - (Topic 8)
Your network contains an Active Directory domain named contoso.com. The domain contains multiple sites.
You plan to deploy DirectAccess.
The network security policy states that when client computers connect to the corporate
network from the Internet, all of the traffic destined for the Internet must be routed through
the corporate network.
You need to recommend a solution for the planned DirectAccess deployment that meets
the security policy requirement.
Solution: You enable split tunneling.
Does this meet the goal?
A. Yes
B. No
Answer: A
Explanation: DirectAccess by default enables split tunneling. All traffic destined to the corpnet is sent over the DA IPsec tunnels, and all traffic destined for the Internet is sent directly to the Internet over the local interface. This prevents DA clients from bringing the corporate Internet connection to its knees.
is DA split tunneling really a problem? The answer is no.
Why? Because the risks that exist with VPNs, where the machine can act as a router between the Internet and the corporate network is not valid with DirectAccess. IPsec rules on the UAG server require that traffic be from an authenticated source, and all traffic between the DA client and server is protected with IPsec.
Thus, in the scenario where the DA client might be configured as a router, the source of the traffic isn’t going to be the DA client, and authentication will fail – hence preventing the type of routing that VPN admins are concerned about.
Reference: Why Split Tunneling is Not a Security Issue with DirectAccess