Administering Windows Server 2012 v1.0

Page:    1 / 21   
Exam contains 305 questions

HOTSPOT -
Your network contains an Active Directory domain named contoso.com. The domain contains servers named Server1 and Server2. Both servers have the DFS
Replication role service installed.
You need to configure the DFS Replication environment to meet the following requirements:
-> Increase the quota limit of the staging folder.
-> Configure the staging folder cleanup process to provide the highest amount of free space possible.
Which cmdlets should you use to meet each requirement? To answer, select the appropriate options in the answer area.
Hot Area:




Answer :

Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1 that runs Windows Server 2012 R2.
Server1 has a share named Share1.
When users without permission to Share1 attempt to access the share, they receive the Access Denied message as shown in the exhibit. (Click the Exhibit button.)


You deploy a new file server named Server2 that runs Windows Server 2012 R2.
You need to configure Server2 to display the same custom Access Denied message as Server1.
What should you install on Server2?

  • A. The Remote Assistance feature
  • B. The Storage Services server role
  • C. The File Server Resource Manager role service
  • D. The Enhanced Storage feature


Answer : C

Explanation:
Access-Denied Assistance is a new role service of the File Server role in Windows Server 2012.


We need to install the prerequisites for Access-Denied Assistance.
Because Access-Denied Assistance relies up on e-mail notifications, we also need to configure each relevant file server with a Simple Mail Transfer Protocol
(SMTP) server address. Let's do that quickly with Windows PowerShell:
Set-FSRMSetting -SMTPServer mailserver. nuggetlab.com -AdminEmailAddress [email protected] -FromEmailAddress [email protected]
You can enable Access-Denied Assistance either on a per-server basis or centrally via Group Policy. To my mind, the latter approach is infinitely preferable from an administration standpoint.
Create a new GPO and make sure to target the GPO at your file servers' Active Directory computer accounts as well as those of your AD client computers. In the
Group Policy Object Editor, we are looking for the following path to configure Access-Denied Assistance:
\Computer Configuration\Policies\Administrative Templates\System\Access-Denied Assistance

The Customize message for Access Denied errors policy, shown in the screenshot below, enables us to create the actual message box shown to users when they access a shared file to which their user account has no access.

What's cool about this policy is that we can "personalize" the e-mail notifications to give us administrators (and, optionally, file owners) the details they need to resolve the permissions issue quickly and easily.
For instance, we can insert pre-defined macros to swap in the full path to the target file, the administrator e-mail address, and so forth. See this example:
Whoops! It looks like you're having trouble accessing [Original File Path]. Please click Request Assistance to send [Admin Email] a help request e-mail message.
Thanks!
You should find that your users prefer these human-readable, informative error messages to the cryptic, non-descript error dialogs they are accustomed to dealing with.
The Enable access-denied assistance on client for all file types policy should be enabled to force client computers to participate in Access-Denied Assistance.
Again, you must make sure to target your GPO scope accordingly to "hit" your domain workstations as well as your Windows Server 2012 file servers.

Testing the configuration -
This should come as no surprise to you, but Access-Denied Assistance works only with Windows Server 2012 and Windows 8 computers. More specifically, you must enable the Desktop Experience feature on your servers to see Access-Denied Assistance messages on server computers.
When a Windows 8 client computer attempts to open a file to which the user has no access, the custom Access-Denied Assistance message should appear:

If the user clicks Request Assistance in the Network Access dialo

You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the File Server Resource Manager role service installed.
Each time a user receives an access-denied message after attempting to access a folder on Server1, an email notification is sent to a distribution list named DL1.
You create a folder named Folder1 on Server1, and then you configure custom NTFS permissions for Folder1.
You need to ensure that when a user receives an access-denied message while attempting to access Folder1, an email notification is sent to a distribution list named DL2. The solution must not prevent DL1 from receiving notifications about other access-denied messages.
What should you do?

  • A. From Server Manager, run the New Share Wizard to create a share for Folder1 by selecting the SMB Share "" Advanced option.
  • B. From the File Server Resource Manager console, modify the Access-Denied Assistance settings.
  • C. From the File Server Resource Manager console, modify the Email Notifications settings.
  • D. From Server Manager, run the New Share Wizard to create a share for Folder1 by selecting the SMB Share ""Applications option.


Answer : A

Explanation:
When using the email model each of the file shares, you can determine whether access requests to each file share will be received by the administrator, a distribution list that represents the file share owners, or both.
The owner distribution list is configured by using the SMB Share "" Advanced file share profile in the New Share Wizard in Server Manager.
References:
http://technet.microsoft.com/en-us/library/jj574182.aspx#BKMK_12

Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1.
You run ntdsutil as shown in the exhibit. (Click the Exhibit button.)


You need to ensure that you can access the contents of the mounted snapshot.
What should you do?

  • A. From the snapshot context of ntdsutil, run activate instance "NTDS".
  • B. From a command prompt, run dsamain.exe -dbpath c:\$snap_201204131056_volumec$\windows\ntds\ntds.dit -1dapport 389.
  • C. From the snapshot context of ntdsutil, run mount {79f94f82-5926-4f44-8af0-2f56d827a57d}.
  • D. From a command prompt, run dsamain.exe -dbpath c:\$snap_201204131056_volumec$\windows\ntds\ntds.dit -1dapport 33389.


Answer : D

Explanation:
By default, only members of the Domain Admins group and the Enterprise Admins group are allowed to view the snapshots because they contain sensitive AD DS data. If you want to access snapshot data from an old domain or forest that has been deleted, you can allow nonadministrators to access the data when you run
Dsamain.exe.
If you plan to view the snapshot data on a domain controller, specify ports that are different from the ports that the domain controller will use.
A client starts an LDAP session by connecting to an LDAP server, called a Directory System Agent (DSA), by default on TCP port and UDP [7] port 389. The client then sends an operation request to the server, and the server sends responses in return. With some exceptions, the client does not need to wait for a response before sending the next request, and the server may send the responses in any order. All information is transmitted using Basic Encoding Rules (BER).


References:
http://technet.microsoft.com/en-us/library/cc753609(v=ws.10).aspx

DRAG DROP -
You are a network administrator of an Active Directory domain named contoso.com.
You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the Web Server (IIS) server role installed.
Server1 will host a web site at URL https://secure.contoso.com. The application pool identity account of the web site will be set to a domain user account named
AppPool1.
You need to configure the Service Principal Name (SPN) for the web site.
What should you run? To answer, drag the appropriate objects to the correct location. Each object may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:




Answer :

Explanation:
Note:
* -s <SPN>
Adds the specified SPN for the computer, after verifying that no duplicates exist.
Usage: setspn ""s SPN accountname
For example, to register SPN "http/daserver" for computer "daserver1": setspn -S http/daserver daserver1
Attn: with Windows 2008 option is-abut with Windows 2012 it started to show-s

Definition of an SPN -
An SPN is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each service instance must have its own SPN. A particular service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running. Therefore, a service instance might register an SPN for each name or alias of its host.

Adding SPNs -
To add an SPN, use the setspn -s service/namehostname command at a command prompt, where service/name is the SPN that you want to add and hostname is the actual host name of the computer object that you want to update. For example, if there is an Active Directory domain controller with the host name server1.contoso.com that requires an SPN for the Lightweight Directory Access Protocol (LDAP), type setspn -s ldap/server1.contoso.com server1, and then press ENTER to add the SPN.

The HTTP service class -
The HTTP service class differs from the HTTP protocol. Both the HTTP protocol and the HTTPS protocol use the HTTP service class. The service class is the string that identifies the general class of service.
For example, the command may resemble the following command:
setspn""S HTTP/iis6server1. mydomain.com mydomain\appPool1
References:
http://support.microsoft.com/kb/929650/en-us
http://technet.microsoft.com/en-us/library/cc731241(v=ws.10).aspx

Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1 that runs Windows Server 2012 R2.
DC1 is backed up daily. The domain has the Active Directory Recycle Bin enabled.
During routine maintenance, you delete 500 inactive user accounts and 100 inactive groups. One of the deleted groups is named Group1. Some of the deleted user accounts are members of some of the deleted groups.
For documentation purposes, you must provide a list of the members of Group1 before the group was deleted.
You need to identify the names of the users who were members of Group1 prior to its deletion.
You want to achieve this goal by using the minimum amount of administrative effort.
What should you do first?

  • A. Mount the most recent Active Directory backup.
  • B. Reactivate the tombstone of Group1.
  • C. Perform an authoritative restore of Group1.
  • D. Use the Recycle Bin to restore Group1.


Answer : A

Explanation:
The Active Directory Recycle Bin does not have the ability to track simple changes to objects.
If the object itself is not deleted, no element is moved to the Recycle Bin for possible recovery in the future. In other words, there is no rollback capacity for changes to object properties, or, in other words, to the values of these properties.

Your network contains an Active Directory domain named contoso.com. The domain contains six domain controllers. The domain controllers are configured as shown in the following table.


The network contains a server named Server1 that has the Hyper-v server role installed. DC6 is a virtual machine that is hosted on Server1.
You need to ensure that you can clone DC6.
Which FSMO role should you transfer to DC2?

  • A. Rid master
  • B. Domain naming master
  • C. PDC emulator
  • D. Infrastructure master


Answer : C

Explanation:
The clone domain controller uses the security context of the source domain controller (the domain controller whose copy it represents) to contact the Windows
Server 2012 R2 Primary Domain Controller (PDC) emulator operations master role holder (also known as flexible single master operations, or FSMO). The PDC emulator must be running Windows Server 2012 R2, but it does not have to be running on a hypervisor.
References:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100

You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the File Server Resource Manager role service installed.
Server1 has a folder named Folder1 that is used by the human resources department.
You need to ensure that an email notification is sent immediately to the human resources manager when a user copies an audio file or a video file to Folder1.
What should you configure on Server1?

  • A. a storage report task
  • B. a file screen exception
  • C. a file screen
  • D. a file group


Answer : C

Explanation:
Create file screens to control the types of files that users can save, and generate notifications when users attempt to save unauthorized files.
With File Server Resource Manager (FSRM) you can create file screens that prevent users from saving unauthorized files on volumes or folders.
File Screen Enforcement:
You can create file screens to prevent users from saving unauthorized files on volumes or folders. There are two types of file screen enforcement: active and passive enforcement. Active file screen enforcement does not allow the user to save an unauthorized file. Passive file screen enforcement allows the user to save the file, but notifies the user that the file is not an authorized file. You can configure notifications, such as events logged to the event log or e-mails sent to users and administrators, as part of active and passive file screen enforcement.

Your network contains an Active Directory domain named contoso.com. The domain contains five servers. The servers are configured as shown in the following table.


All desktop computers in contoso.com run Windows 8 and are configured to use BitLocker Drive Encryption (BitLocker) on all local disk drives.
You need to deploy the Network Unlock feature. The solution must minimize the number of features and server roles installed on the network.
To which server should you deploy the feature?

  • A. Server1
  • B. Server2
  • C. Server3
  • D. Server4
  • E. Server5


Answer : E

Explanation:
The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network
Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the Windows Deployment Services role in Server
Manager.

Your network contains an Active Directory domain named contoso.com. The Active Directory Recycle bin is enabled for contoso.com.
A support technician accidentally deletes a user account named User1. You need to restore the User1 account.
Which tool should you use?

  • A. Ldp
  • B. Esentutl
  • C. Active Directory Administrative Center
  • D. Ntdsutil


Answer : C

Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. All domain controllers run Windows Server 2012 R2.
The domain contains two domain controllers. The domain controllers are configured as shown in the following table.


Active Directory Recycle Bin is enabled.
You discover that a support technician accidentally removed 100 users from an Active Directory group named Group1 an hour ago.
You need to restore the membership of Group1.
What should you do?

  • A. Recover the items by using Active Directory Recycle Bin.
  • B. Modify the Recycled attribute of Group1.
  • C. Perform tombstone reanimation.
  • D. Perform an authoritative restore.
  • E. Perform a non-authoritative restore.
  • F. Modify the isDeleted attribute of Group1.
  • G. Apply a virtual machine snapshot to DC2.


Answer : D

Explanation:
Because removing user accounts from an Active Directory group will not send them to the Active Directory Recycle Bin, performing an authoritative restore is the best option.

Your network contains an Active Directory domain named contoso.com. The domain contains a read-only domain controller (RODC) named RODC1.
You create a global group named RODC_Admins.
You need to provide the members of RODC_Admins with the ability to manage the hardware and the software on RODC1. The solution must not provide
RODC_Admins with the ability to manage Active Directory objects.
What should you do?

  • A. From Active Directory Users and Computers, configure the Member of settings of the RODC1 account.
  • B. From Active Directory Site and Services, configure the Security settings of the RODC1 server object.
  • C. From a command prompt, run the dsmgmt local roles command.
  • D. From Windows PowerShell, run the Set-ADAccountControl cmdlet


Answer : C

Explanation:
RODC: using the dsmgmt.exe utility to manage local administrators
One of the benefits of RODC is that you can add local administrators who do not have full access to the domain administration. This gives them the ability to manage the server but not add or change active directory objects unless those roles are delegated. Adding this type of user is done using the dsmdmt.exe utility at the command prompt.
References:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732301(v%3dws.10)

DRAG DROP -
Your network contains an Active Directory forest named contoso.com. All domain controllers run Windows Server 2008 R2.
The schema is upgraded to Windows Server 2012 R2.
Contoso.com contains two servers. The servers are configured as shown in the following table.


Server1 and Server2 host a load-balanced application pool named AppPool1.
You need to ensure that AppPool1 uses a group Managed Service Account as its identity.
Which three actions should you perform?
To answer, move the three appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:



Answer :

Note:
Box 1:
Group Managed Service Accounts Requirements:
-> At least one Windows Server 2012 Domain Controller
-> A Windows Server 2012 or Windows 8 machine with the ActiveDirectory PowerShell module, to create/manage the gMSA.
-> A Windows Server 2012 or Windows 8 domain member to run/use the gMSA.
Box 2:
To create a new managed service account
-> On the domain controller, click Start, and then click Run. In the Open box, type dsa. msc, and then click OK to open the Active Directory Users and Computers snap-in. Confirm that the Managed Service Account container exists.
-> Click Start, click All Programs, click Windows PowerShell 2.0, and then click the Windows PowerShell icon.
-> Run the following command: New-ADServiceAccount [-SAMAccountName<String>] [-Path <String>].
Box 3:
Configure a service account for Internet Information Services
Organizations that want to enhance the isolation of IIS applications can configure IIS application pools to run managed service accounts.
To use the Internet Information Services (IIS) Manager snap-in to configure a service to use a managed service account
-> Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
-> , and click Advanced Settings.
-> In the Identity box, click "¦, click Custom Account, and then click Set.
-> .
Reference: Service Accounts Step-by-Step Guide

Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1 that runs Windows Server 2012 R2.
You create an Active Directory snapshot of DC1 each day.
You need to view the contents of an Active Directory snapshot from two days ago.
What should you do first?

  • A. Run the dsamain.exe command.
  • B. Stop the Active Directory Domain Services (AD DS) service.
  • C. Start the Volume Shadow Copy Service (VSS).
  • D. Run the ntdsutil.exe command.


Answer : A

Explanation:
Dsamain.exe exposes Active Directory data that is stored in a snapshot or backup as a Lightweight Directory Access Protocol (LDAP) server.
Reference:
http://technet.microsoft.com/en-us/library/cc772168.aspx

Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2.
In a remote site, a support technician installs a server named DC10 that runs Windows Server 2012 R2. DC10 is currently a member of a workgroup.
You plan to promote DC10 to a read-only domain controller (RODC).
You need to ensure that a user named Contoso\User1 can promote DC10 to a RODC in the contoso.com domain. The solution must minimize the number of permissions assigned to User1.
What should you do?

  • A. From Active Directory Users and Computers, run the Delegation of Control Wizard on the contoso.com domain object.
  • B. From Active Directory Administrative Center, pre-create an RODC computer account.
  • C. From Ntdsutil, run the local roles command.
  • D. Join DC10 to the domain. Run dsmod and specify the /server switch.
  • E. From Active Directory Administrative Center, modify the security settings of the Domain Controllers organizational unit (OU).
  • F. From Dsmgmt, run the local roles command.
  • G. Join DC10 to the domain. Modify the properties of the DC10 computer account.


Answer : B

Explanation:
A staged read only domain controller(RODC) installation works in two discrete phases:
-> Staging an unoccupied computer account
-> Attaching an RODC to that account during promotion
Install a Windows Server 2012 R2 Active Directory Read-Only Domain Controller (RODC).

Page:    1 / 21   
Exam contains 305 questions

Talk to us!


Have any questions or issues ? Please dont hesitate to contact us

Certlibrary doesn't offer Real Microsoft Exam Questions.
Certlibrary Materials do not contain actual questions and answers from Cisco's Certification Exams.
CFA Institute does not endorse, promote or warrant the accuracy or quality of Certlibrary. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.