Articles
70-412 Certification Score
by William Hicks IT CertificationQuestion: 1
Your company recently deployed a new Active Directory forest named contoso.com. The first domain controller in the forest runs Windows Server 2012 R2.
You need to identify the time-to-live (TTL) value for domain referrals to the NETLOGON and SYSVOL shared folders.
Which tool should you use?
A. Ultrasound
B. Replmon
C. Dfsdiag
D. Frsutil
Answer: C
Explanation:
DFSDIAG can check your configuration in five different ways:
Checking referral responses (DFSDIAG /TestReferral)
Checking domain controller configuration
Checking site associations
Checking namespace server configuration
Checking individual namespace configuration and integrity
Reference: Five ways to check your DFS-Namespaces (DFS-N) configuration with the DFSDIAG.EXE tool
Question: 2
Your network contains two Active Directory forests named contoso.com and adatum.com.
Contoso.com contains one domain. Adatum.com contains a child domain named child.adatum.com.
Contoso.com has a one-way forest trust to adatum.com. Selective authentication is enabled on the forest trust.
Several user accounts are migrated from child.adatum.com to adatum.com.
Users report that after the migration, they fail to access resources in contoso.com. The users successfully accessed the resources in contoso.com before the accounts were migrated.
You need to ensure that the migrated users can access the resources in contoso.com.
What should you do?
A. Replace the existing forest trust with an external trust.
B. Run netdom and specify the /quarantine attribute.
C. Disable SID filtering on the existing forest trust.
D. Disable selective authentication on the existing forest trust.
Answer: C
Explanation:
Security Considerations for Trusts
Need to gain access to the resources in contoso.com
Disabling SID Filter Quarantining on External Trusts
Although it reduces the security of your forest (and is therefore not recommended), you can disable SID filter quarantining for an external trust by using the Netdom.exe tool. You should consider disabling SID filter quarantining only in the following situations:
* Users have been migrated to the trusted domain with their SID histories preserved, and you want to grant them access to resources in the trusting domain based on the SID history attribute.
Etc.
Incorrect:
Not B. Enables administrators to manage Active Directory domains and trust relationships from the command prompt, /quarantine Sets or clears the domain quarantine.
Not D. Selective authentication over a forest trust restricts access to only those users in a trusted forest who have been explicitly given authentication permissions to computer objects (resource computers) that reside in the trusting forest.
Reference: Security Considerations for Trusts
http://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx
Question: 3
Your network contains an Active Directory forest named adatum.com. The forest contains a single domain. The domain contains four servers. The servers are configured as shown in the following table.
You need to update the schema to support a domain controller that will run Windows Server 2012 R2.
On which server should you run adprep.exe?
A. Server1
B. DC3
C. DC2
D. DC1
Answer: B
Explanation:
We must use the Windows Server 2008 R2 Server.
Upgrade Domain Controllers to Windows Server 2012 R2 and Windows Server 2012
You can use adprep.exe on domain controllers that run 64-bit versions of Windows Server 2008 or Windows Server 2008 R2 to upgrade to Windows Server 2012. You cannot upgrade domain controllers that run Windows Server 2003 or 32-bit versions of Windows Server 2008. To replace them, install domain controllers that run a later version of Windows Server in the domain, and then remove the domain controllers that Windows Server 2003.
Reference: Upgrade Domain Controllers to Windows Server 2012 R2 and Windows Server 2012, Supported in-place upgrade paths.
http://technet.microsoft.com/en-us/library/hh994618.aspx#BKMK_UpgradePaths
Question: 4
Your network contains an Active Directory forest named contoso.com. The forest contains three domains. All domain controllers run Windows Server 2012 R2.
The forest has a two-way realm trust to a Kerberos realm named adatum.com.
You discover that users in adatum.com can only access resources in the root domain of contoso.com.
You need to ensure that the adatum.com users can access the resources in all of the domains in the forest.
What should you do in the forest?
A. Delete the realm trust and create a forest trust.
B. Delete the realm trust and create three external trusts.
C. Modify the incoming realm trust.
D. Modify the outgoing realm trust.
Answer: D
Explanation:
* A one-way, outgoing realm trust allows resources in your Windows Server domain (the domain that you are logged on to at the time that you run the New Trust Wizard) to be accessed by users in the Kerberos realm.
* You can establish a realm trust between any non-Windows Kerberos version 5 (V5) realm and an Active Directory domain. This trust relationship allows cross-platform interoperability with security services that are based on other versions of the Kerberos V5 protocol, for example, UNIX and MIT implementations. Realm trusts can switch from nontransitive to transitive and back. Realm trusts can also be either one-way or two-way.
Reference: Create a One-Way, Outgoing, Realm Trust
Question: 5
Your network contains an Active Directory forest named contoso.com. The forest contains two domains named contoso.com and childl.contoso.com. The domains contain three domain controllers.
The domain controllers are configured as shown in the following table.
You need to ensure that the KDC support for claims, compound authentication, and kerberos armoring setting is enforced in the child1.contoso.com domain.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Upgrade DC1 to Windows Server 2012 R2.
B. Upgrade DC11 to Windows Server 2012 R2.
C. Raise the domain functional level of childl.contoso.com.
D. Raise the domain functional level of contoso.com.
E. Raise the forest functional level of contoso.com.
Answer: A, D
Explanation:
The root domain in the forest must be at Windows Server 2012 level. First upgrade DC1 to this level (A), then raise the contoso.com domain functional level to Windows Server 2012 (D).
* (A) To support resources that use claims-based access control, the principal’s domains will need to be running one of the following:
/ All Windows Server 2012 domain controllers
/ Sufficient Windows Server 2012 domain controllers to handle all the Windows 8 device authentication requests
/ Sufficient Windows Server 2012 domain controllers to handle all the Windows Server 2012 resource protocol transition requests to support non-Windows 8 devices.
Reference: What's New in Kerberos Authentication
http://technet.microsoft.com/en-us/library/hh831747.aspx.
Question: 6
Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. The domain contains two domain controllers.
The domain controllers are configured as shown in the following table.
You configure a user named User1 as a delegated administrator of DC10.
You need to ensure that User1 can log on to DC10 if the network link between the Main site and the Branch site fails.
What should you do?
A. Add User1 to the Domain Admins group.
B. On DC10, modify the User Rights Assignment in Local Policies.
C. Run repadmin and specify the /prp parameter.
D. On DC10, run ntdsutil and configure the settings in the Roles context.
Answer: C
Explanation:
repadmin /prp will allow the password caching of the local administrator to the RODC.
This command lists and modifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs).
Reference: RODC Administration
https://technet.microsoft.com/en-us/library/cc755310%28v=ws.10%29.aspx
Question: 7
Your company has offices in Montreal, New York, and Amsterdam.
The network contains an Active Directory forest named contoso.com. An Active Directory site exists for each office. All of the sites connect to each other by using the DEFAULTIPSITELINK site link.
You need to ensure that only between 20:00 and 08:00, the domain controllers in the Montreal office replicate the Active Directory changes to the domain controllers in the Amsterdam office.
The solution must ensure that the domain controllers in the Montreal and the New York offices can replicate the Active Directory changes any time of day.
What should you do?
A. Create a new site link that contains Montreal and Amsterdam. Remove Amsterdam from DEFAULTIPSITE1INK. Modify the schedule of DEFAULTIPSITELINK.
B. Create a new site link that contains Montreal and Amsterdam. Create a new site link bridge. Modify the schedule of DEFAULTIPSITELINK.
C. Create a new site link that contains Montreal and Amsterdam. Remove Amsterdam from DEFAULTIPSITELINK. Modify the schedule of the new site link.
D. Create a new site link that contains Montreal and Amsterdam. Create a new site link bridge. Modify the schedule of the new site link.
Answer: C
Explanation:
We create a new site link between Montreal and Amsterdam and schedule it only between 20:00 and 08:00. To ensure that traffic between Montreal and Amsterdam only occurs at this time we also remove Amsterdam from the DEFAULTIPSITELINK.
Reference: How Active Directory Replication Topology Works
http://technet.microsoft.com/en-us/library/cc755994(v=ws.10).aspx
Question: 8
Your network contains two Web servers named Server1 and Server2. Both servers run Windows Server 2012 R2.
Server1 and Server2 are nodes in a Network Load Balancing (NLB) cluster. The NLB cluster contains an application named App1 that is accessed by using the URL http://app1.contoso.com.
You plan to perform maintenance on Server1.
You need to ensure that all new connections to App1 are directed to Server2. The solution must not disconnect the existing connections to Server1.
What should you run?
A. The Set-NlbCluster cmdlet
B. The Set-NlbClusterNode cmdlet
C. The Stop-NlbCluster cmdlet
D. The Stop-NlbClusterNode cmdlet
Answer: D
Explanation:
The Stop-NlbClusterNode cmdlet stops a node in an NLB cluster. When you use the stop the nodes in the cluster, client connections that are already in progress are interrupted. To avoid interrupting active connections, consider using the -drain parameter, which allows the node to continue servicing active connections but disables all new traffic to that node.
-Drain <SwitchParameter>
Drains existing traffic before stopping the cluster node. If this parameter is omitted, existing traffic will be dropped.
Reference: Stop-NlbClusterNode
Question: 9
Your network contains two servers named HV1 and HV2. Both servers run Windows Server 2012 R2 and have the Hyper-V server role installed.
HV1 hosts 25 virtual machines. The virtual machine configuration files and the virtual hard disks are stored in D:\VM.
You shut down all of the virtual machines on HV1.
You copy D:\VM to D:\VM on HV2.
You need to start all of the virtual machines on HV2. You want to achieve this goal by using the minimum amount of administrative effort.
What should you do?
A. Run the Import-VMInitialReplication cmdlet.
B. From HV1, export all virtual machines to D:\VM. Copy D:\VM to D:\VM on HV2 and overwrite the existing files. On HV2, run the Import Virtual Machine wizard.
C. From HV1, export all virtual machines to D:\VM. Copy D:\VM to D:\VM on HV2 and overwrite the existing files. On HV2, run the New Virtual Machine wizard.
D. Run the Import-VM cmdlet.
Answer: D
Explanation:
Import-VM
Imports a virtual machine from a file.
Example
Imports the virtual machine from its configuration file. The virtual machine is registered in-place, so its files are not copied.
Windows PowerShell
PS C:\> Import-VM –Path 'D:\Test\VirtualMachines\5AE40946-3A98-428E-8C83-081A3C6BD18C.XML'
Reference: Import-VM