Download Configuring Advanced Windows Server 2012 Services.70-412.Pass4sures.2019-09-26.268q.tqb

Vendor: Microsoft
Exam Code: 70-412
Exam Name: Configuring Advanced Windows Server 2012 Services
Date: Sep 26, 2019
File Size: 20 MB
Download Exam

How to open TQB files?

Files with TQB (Taurus Question Bank) extension can be opened by Taurus Exam Studio.

Download
Taurus Exam Studio

Purchase
Coupon: TAURUSSIM_20OFF

Discount: 20%

Taurus Exam Simulator Taurus Exam Simulator Taurus Exam Simulator Taurus Exam Simulator Taurus Exam Simulator

Demo Questions

Question 1
Your company recently deployed a new Active Directory forest named contoso.com. The first domain controller in the forest runs Windows Server 2012 R2. 
You need to identify the time-to-live (TTL) value for domain referrals to the NETLOGON and SYSVOL shared folders. 
Which tool should you use?
  1. Ultrasound
  2. Replmon
  3. Dfsdiag
  4. Frsutil
Correct answer: C
Explanation:
DFSDIAG can check your configuration in five different ways:Checking referral responses (DFSDIAG /TestReferral) Checking domain controller configuration Checking site associations Checking namespace server configuration Checking individual namespace configuration and integrity References: https://blogs.technet.microsoft.com/josebda/2009/07/15/five-ways-to-check-your-dfs-namespaces-dfs-n-configuration-with-the-dfsdiag-exe-tool/
DFSDIAG can check your configuration in five different ways:
  • Checking referral responses (DFSDIAG /TestReferral) 
  • Checking domain controller configuration 
  • Checking site associations 
  • Checking namespace server configuration 
  • Checking individual namespace configuration and integrity 
References: https://blogs.technet.microsoft.com/josebda/2009/07/15/five-ways-to-check-your-dfs-namespaces-dfs-n-configuration-with-the-dfsdiag-exe-tool/
Question 2
Your network contains an Active Directory forest named adatum.com. The forest contains a single domain. The domain contains four servers. The servers are configured as shown in the following table. 
  
You need to update the schema to support a domain controller that will run Windows Server 2012 R2. 
On which server should you run adprep.exe?
  1. Server1
  2. DC3
  3. DC2
  4. DC1
Correct answer: B
Explanation:
We must use the Windows Server 2008 R2 Server.  Upgrade Domain Controllers to Windows Server 2012 R2 and Windows Server 2012  You can use adprep.exe on domain controllers that run 64-bit versions of Windows Server 2008 or Windows Server 2008 R2 to upgrade to Windows Server 2012. You cannot upgrade domain controllers that run Windows Server 2003 or 32-bit versions of Windows Server 2008. To replace them, install domain controllers that run a later version of Windows Server in the domain, and then remove the domain controllers that Windows Server 2003. Reference: http://technet.microsoft.com/en-us/library/hh994618.aspx#BKMK_UpgradePaths
We must use the Windows Server 2008 R2 Server.  
Upgrade Domain Controllers to Windows Server 2012 R2 and Windows Server 2012  
You can use adprep.exe on domain controllers that run 64-bit versions of Windows Server 2008 or Windows Server 2008 R2 to upgrade to Windows Server 2012. You cannot upgrade domain controllers that run Windows Server 2003 or 32-bit versions of Windows Server 2008. To replace them, install domain controllers that run a later version of Windows Server in the domain, and then remove the domain controllers that Windows Server 2003. 
Reference: 
http://technet.microsoft.com/en-us/library/hh994618.aspx#BKMK_UpgradePaths
Question 3
Your network contains an Active Directory forest named contoso.com. The forest contains three domains. All domain controllers run Windows Server 2012 R2. 
The forest has a two-way realm trust to a Kerberos realm named adatum.com. 
You discover that users in adatum.com can only access resources in the root domain of contoso.com. 
You need to ensure that the adatum.com users can access the resources in all of the domains in the forest. 
What should you do in the forest?
  1. Delete the realm trust and create a forest trust.
  2. Delete the realm trust and create three external trusts.
  3. Modify the incoming realm trust.
  4. Modify the outgoing realm trust.
Correct answer: D
Explanation:
A one-way, outgoing realm trust allows resources in your Windows Server domain (the domain that you are logged on to at the time that you run the New Trust Wizard) to be accessed by users in the Kerberos realm. You can establish a realm trust between any non-Windows Kerberos version 5 (V5) realm and an Active Directory domain. This trust relationship allows cross-platform interoperability with security services that are based on other versions of the Kerberos V5 protocol, for example, UNIX and MIT implementations. Realm trusts can switch from nontransitive to transitive and back. Realm trusts can also be either one-way or two-way. References:https://www.c-sharpcorner.com/UploadFile/cd7c2e/creating-one-way-outgoing-realm-trust-for-one-side-of-trust/
  • A one-way, outgoing realm trust allows resources in your Windows Server domain (the domain that you are logged on to at the time that you run the New Trust Wizard) to be accessed by users in the Kerberos realm. 
  • You can establish a realm trust between any non-Windows Kerberos version 5 (V5) realm and an Active Directory domain. This trust relationship allows cross-platform interoperability with security services that are based on other versions of the Kerberos V5 protocol, for example, UNIX and MIT implementations. Realm trusts can switch from nontransitive to transitive and back. Realm trusts can also be either one-way or two-way. 
References:
https://www.c-sharpcorner.com/UploadFile/cd7c2e/creating-one-way-outgoing-realm-trust-for-one-side-of-trust/
Question 4
Your network contains an Active Directory forest named contoso.com. The forest contains two domains named contoso.com and childl.contoso.com. The domains contain three domain controllers. 
The domain controllers are configured as shown in the following table. 
  
You need to ensure that the KDC support for claims, compound authentication, and kerberos armoring setting is enforced in the child1.contoso.com domain. 
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
  1. Upgrade DC1 to Windows Server 2012 R2.
  2. Upgrade DC11 to Windows Server 2012 R2.
  3. Raise the domain functional level of childl.contoso.com.
  4. Raise the domain functional level of contoso.com.
  5. Raise the forest functional level of contoso.com.
Correct answer: AD
Explanation:
The root domain in the forest must be at Windows Server 2012level. First upgrade DC1 to this level (A), then raise the contoso.com domain functional level to Windows Server 2012 (D). (A) To support resources that use claims-based access control, the principal’s domains will need to be running one of the following:All Windows Server 2012 domain controllers Sufficient Windows Server 2012domain controllers to handle all the Windows 8 device authentication requests Sufficient Windows Server 2012 domain controllers to handle all the Windows Server 2012 resource protocol transition requests to support non-Windows 8 devices. References:https://technet.microsoft.com/en-us/library/hh831747.aspx.
The root domain in the forest must be at Windows Server 2012level. First upgrade DC1 to this level (A), then raise the contoso.com domain functional level to Windows Server 2012 (D). 
(A) To support resources that use claims-based access control, the principal’s domains will need to be running one of the following:
  • All Windows Server 2012 domain controllers 
  • Sufficient Windows Server 2012domain controllers to handle all the Windows 8 device authentication requests 
  • Sufficient Windows Server 2012 domain controllers to handle all the Windows Server 2012 resource protocol transition requests to support non-Windows 8 devices. 
References:
https://technet.microsoft.com/en-us/library/hh831747.aspx.
Question 5
Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. The domain contains two domain controllers. 
The domain controllers are configured as shown in the following table. 
  
You configure a user named User1 as a delegated administrator of DC10. 
You need to ensure that User1 can log on to DC10 if the network link between the Main site and the Branch site fails. 
What should you do?
  1. Add User1 to the Domain Admins group.
  2. On DC10, modify the User Rights Assignment in Local Policies.
  3. Run repadmin and specify the /prp parameter.
  4. On DC10, run ntdsutil and configure the settings in the Roles context.
  5. Run repadmin and specify /replsingleobject parameter.
  6. On DC1, modify the User Rights Assignment in Default Controllers Group Policy object (GPO).
Correct answer: C
Explanation:
repadmin /prp will allow the password caching of the local administrator to the RODC. This command lists and modifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs). References: RODC Administrationhttps://technet.microsoft.com/en-us/library/cc755310%28v=ws.10%29.aspx
repadmin /prp will allow the password caching of the local administrator to the RODC. 
This command lists and modifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs). 
References: RODC Administration
https://technet.microsoft.com/en-us/library/cc755310%28v=ws.10%29.aspx
Question 6
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. The system properties of Server1 are shown in the exhibit. 
  
You need to configure Server1 as an enterprise subordinate certification authority (CA). 
What should you do first?
  1. Add RAM to the server.
  2. Set the Startup Type of the Certificate Propagation service to Automatic.
  3. Install the Certification Authority Web Enrollment role service.
  4. Join Server1 to the contoso.com domain.
Correct answer: D
Explanation:
Enterprise CAs must be domain members. From the exhibit we see that it is only a Workgroup member. Note:A new CA can be the root CA of a new PKI or subordinate to another in an existing PKI. Enterprise subordinate certification authority. An enterprise subordinate CA must get a CA certificate from an enterprise root CA but can then issue certificates to all users and computers in the enterprise. These types of CAs are often used for load balancing of an enterprise root CA.   References:https://forsenergy.com/en-us/certsvr/html/e9bd1194-e088-4671-840f-0847cf5ee2a0.htm
Enterprise CAs must be domain members. From the exhibit we see that it is only a Workgroup member. 
Note:
A new CA can be the root CA of a new PKI or subordinate to another in an existing PKI. 
Enterprise subordinate certification authority. 
An enterprise subordinate CA must get a CA certificate from an enterprise root CA but can then issue certificates to all users and computers in the enterprise. These types of CAs are often used for load balancing of an enterprise root CA. 
  
References:
https://forsenergy.com/en-us/certsvr/html/e9bd1194-e088-4671-840f-0847cf5ee2a0.htm
Question 7
Your network contains a perimeter network and an internal network. The internal network contains an Active Directory Federation Services (AD FS) 2.1 infrastructure. The infrastructure uses Active Directory as the attribute store. 
You plan to deploy a federation server proxy to a server named Server2 in the perimeter network. 
You need to identify which value must be included in the certificate that is deployed to Server2. 
What should you identify?
  1. The FQDN of the AD FS server
  2. The name of the Federation Service
  3. The name of the Active Directory domain
  4. The public IP address of Server2
Correct answer: A
Explanation:
To add a host (A) record to corporate DNS for a federation server On a DNS server for the corporate network, open the DNS snap-in. In the console tree, right-click the applicable forward lookup zone, and then click New Host (A). In Name, type only the computer name of the federation server or federation server cluster (for example, type fs for the fully qualified domain name (FQDN) fs.adatum.com). In IP address, type the IP address for the federation server or federation server cluster (for example, 192.168.1.4). Click Add Host. References:https://technet.microsoft.com/en-us/library/cc776786(v=ws.10).aspx
To add a host (A) record to corporate DNS for a federation server On a DNS server for the corporate network, open the DNS snap-in. 
  1. In the console tree, right-click the applicable forward lookup zone, and then click New Host (A). 
  2. In Name, type only the computer name of the federation server or federation server cluster (for example, type fs for the fully qualified domain name (FQDN) fs.adatum.com). 
  3. In IP address, type the IP address for the federation server or federation server cluster (for example, 192.168.1.4). 
  4. Click Add Host. 
References:
https://technet.microsoft.com/en-us/library/cc776786(v=ws.10).aspx
Question 8
Your network contains an Active directory forest named contoso.com. The forest contains two child domains named east.contoso.com and west.contoso.com. 
You install an Active Directory Rights Management Services (AD RMS) cluster in each child domain. 
You discover that all of the users in the contoso.com forest are directed to the AD RMS cluster in east.contoso.com. 
You need to ensure that the users in west.contoso.com are directed to the AD RMS cluster in west.contoso.com and that the users in east.contoso.com are directed to the AD RMS cluster in east.contoso.com. 
What should you do?
  1. Modify the Service Connection Point (SCP).
  2. Configure the Group Policy object (GPO) settings of the users in the west.contoso.com domain.
  3. Configure the Group Policy object (GPO) settings of the users in the east.contoso.com domain.
  4. Modify the properties of the AD RMS cluster in west.contoso.com.
Correct answer: B
Explanation:
The west.contoso.com are the ones in trouble that need to be redirected to the west.contoso.com not the east.contoso.com. Note: It is recommended that you use GPO to deploy AD RMS client settings and that you only deploy settings as needed.References:https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj735304(v=ws.11)
The west.contoso.com are the ones in trouble that need to be redirected to the west.contoso.com not the east.contoso.com. 
Note: It is recommended that you use GPO to deploy AD RMS client settings and that you only deploy settings as needed.
References:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj735304(v=ws.11)
Question 9
You have a server named Server1 that runs Windows Server 2012 R2. 
From Server Manager, you install the Active Directory Certificate Services server role on Server1. 
A domain administrator named Admin1 logs on to Server1. 
When Admin1 runs the Certification Authority console, Admin1 receive the following error message. 
  
You need to ensure that when Admin1 opens the Certification Authority console on Server1, the error message does not appear. 
What should you do?
  1. Install the Active Directory Certificate Services (AD CS) tools.
  2. Run the regsvr32.exe command.
  3. Modify the PATH system variable.
  4. Configure the Active Directory Certificate Services server role from Server Manager.
  5. Run the Install-AdcsCertificationAuthority cmdlet.
  6. Add Admin1 to the Cert Publishers group.
  7. Add Admin1to the Enterprise Admins group.
  8. Run the Install-WindowsFeature cmdlet
Correct answer: D
Explanation:
The error message is related to missing role configuration. Cannot Manage Active Directory Certificate Services Resolution: configure the two Certification Authority and Certification Authority Web Enrollment Roles.  Active Directory Certificate Services (AD CS) is an Active Directory tool that lets administrators customize services in order to issue and manage public key certificates. AD CS included:CA Web enrollment - connects users to a CA with a Web browser Certification authorities (CAs) - manages certificate validation and issues certificates Etc. Incorrect Answers:A, E. The CA is installed, it just need to be configured correctly. Note: Install-AdcsCertificationAuthorityThe Install-AdcsCertificationAuthority cmdlet performs installation and configuration of the AD CS CA role service. References: Cannot manage Active Directory Certificate Services in Server 2012 Error 0x800070002; Active Directory Certificate Services (AD CS) Definitionhttp://searchwindowsserver.techtarget.com/definition/Active-Directory-Certificate-Services-AD-CS
The error message is related to missing role configuration. 
Cannot Manage Active Directory Certificate Services 
Resolution: configure the two Certification Authority and Certification Authority Web Enrollment Roles.
  
Active Directory Certificate Services (AD CS) is an Active Directory tool that lets administrators customize services in order to issue and manage public key certificates. 
AD CS included:
CA Web enrollment - connects users to a CA with a Web browser 
Certification authorities (CAs) - manages certificate validation and issues certificates 
Etc. 
Incorrect Answers:
A, E. The CA is installed, it just need to be configured correctly. 
Note: Install-AdcsCertificationAuthority
The Install-AdcsCertificationAuthority cmdlet performs installation and configuration of the AD CS CA role service. 
References: Cannot manage Active Directory Certificate Services in Server 2012 Error 0x800070002; Active Directory Certificate Services (AD CS) Definition
http://searchwindowsserver.techtarget.com/definition/Active-Directory-Certificate-Services-AD-CS
Question 10
Your network contains an Active Directory domain named contoso.com. The domain contains a member server named Server1 that has the Active Directory Federation Services server role installed. 
All servers run Windows Server 2012. 
You complete the Active Directory Federation Services Configuration Wizard on Server1. 
You need to ensure that client devices on the internal network can use Workplace Join. 
Which two actions should you perform on Server1? (Each correct answer presents part of the solution. Choose two.)
  1. Run Enable-AdfsDeviceRegistration -PrepareActiveDirectory.
  2. Edit the multi-factor authentication global authentication policy settings.
  3. Run Enable-AdfsDeviceRegistration.
  4. Run Set-AdfsProxyProperties HttpPort 80.
  5. Edit the primary authentication global authentication policy settings.
Correct answer: CE
Explanation:
C. To enable Device Registration Service On your federation server, open a Windows PowerShell command window and type:Enable-AdfsDeviceRegistration Repeat this step on each federation farm node in your AD FS farm. E. Enable seamless second factor authentication Seamless second factor authentication is an enhancement in AD FS that provides an added level of access protection to corporate resources and applications from external devices that are trying to access them. When a personal device is Workplace Joined, it becomes a `known' device and administrators can use this information to drive conditional access and gate access to resources. To enable seamless second factor authentication, persistent single sign-on (SSO) and conditional access for Workplace Joined devices. In the AD FS Management console, navigate to Authentication Policies. Select Edit Global Primary Authentication. Select the check box next to Enable Device Authentication, and then click OK. References:https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/configure-a-federation-server-with-device-registration-service
C. To enable Device Registration Service 
On your federation server, open a Windows PowerShell command window and type:
Enable-AdfsDeviceRegistration 
Repeat this step on each federation farm node in your AD FS farm. 
E. Enable seamless second factor authentication 
Seamless second factor authentication is an enhancement in AD FS that provides an added level of access protection to corporate resources and applications from external devices that are trying to access them. When a personal device is Workplace Joined, it becomes a `known' device and administrators can use this information to drive conditional access and gate access to resources. To enable seamless second factor authentication, persistent single sign-on (SSO) and conditional access for Workplace Joined devices. 
In the AD FS Management console, navigate to Authentication Policies. Select Edit Global Primary Authentication. Select the check box next to Enable Device Authentication, and then click OK. 
References:
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/configure-a-federation-server-with-device-registration-service
CONNECT US
HOW TO OPEN VCE FILES

Use VCE Exam Simulator to open VCE files
Avanaset

HOW TO OPEN VCEX FILES

Use ProfExam Simulator to open VCEX files
ProfExam Screen

ProfExam
ProfExam at a 20% markdown

You have the opportunity to purchase ProfExam at a 20% reduced price

Get Now!