Download Configuring Advanced Windows Server 2012 Services.70-412.PracticeTest.2018-10-09.263q.vcex

Vendor: Microsoft
Exam Code: 70-412
Exam Name: Configuring Advanced Windows Server 2012 Services
Date: Oct 09, 2018
File Size: 18 MB
Download Exam

How to open VCEX files?

Files with VCEX extension can be opened by ProfExam Simulator.

Download
ProfExam Simulator

Purchase
Coupon: EXAM_HUB

Discount: 20%

ProfExam Simulator ProfExam Simulator ProfExam Simulator ProfExam Simulator ProfExam Simulator

Demo Questions

Question 1
Your network contains an Active directory forest named contoso.com. The forest contains two child domains named east.contoso.com and west.contoso.com. 
You install an Active Directory Rights Management Services (AD RMS) cluster in each child domain. 
You discover that all of the users in the contoso.com forest are directed to the AD RMS cluster in east.contoso.com. 
You need to ensure that the users in west.contoso.com are directed to the AD RMS cluster in west.contoso.com and that the users in east.contoso.com are directed to the AD RMS cluster in east.contoso.com. 
What should you do?
  1. Modify the Service Connection Point (SCP).
  2. Configure the Group Policy object (GPO) settings of the users in the west.contoso.com domain.
  3. Configure the Group Policy object (GPO) settings of the users in the east.contoso.com domain.
  4. Modify the properties of the AD RMS cluster in west.contoso.com.
Correct answer: B
Explanation:
The west.contoso.com are the ones in trouble that need to be redirected to the west.contoso.com not the east.contoso.com. Note: It is recommended that you use GPO to deploy AD RMS client settings and that you only deploy settings as needed.Reference: AD RMS Best Practices Guide
The west.contoso.com are the ones in trouble that need to be redirected to the west.contoso.com not the east.contoso.com. 
Note: It is recommended that you use GPO to deploy AD RMS client settings and that you only deploy settings as needed.
Reference: AD RMS Best Practices Guide
Question 2
You have a server named Server1 that runs Windows Server 2012 R2. 
From Server Manager, you install the Active Directory Certificate Services server role on Server1. 
A domain administrator named Admin1 logs on to Server1. 
When Admin1 runs the Certification Authority console, Admin1 receive the following error message. 
  
You need to ensure that when Admin1 opens the Certification Authority console on Server1, the error message does not appear. 
What should you do?
  1. Install the Active Directory Certificate Services (AD CS) tools.
  2. Run the regsvr32.exe command.
  3. Modify the PATH system variable.
  4. Configure the Active Directory Certificate Services server role from Server Manager.
  5. Run the Install-AdcsCertificationAuthority cmdlet.
  6. Add Admin1 to the Cert Publishers group.
  7. Add Admin1to the Enterprise Admins group.
Correct answer: D
Explanation:
The error message is related to missing role configuration. Cannot Manage Active Directory Certificate Services Resolution: configure the two Certification Authority and Certification Authority Web Enrollment Roles.    Active Directory Certificate Services (AD CS) is an Active Directory tool that lets administrators customize services in order to issue and manage public key certificates. AD CS included:CA Web enrollment - connects users to a CA with a Web browser Certification authorities (CAs) - manages certificate validation and issues certificates Etc. Incorrect Answers:A, E. The CA is installed, it just need to be configured correctly. Note: Install-AdcsCertificationAuthorityThe Install-AdcsCertificationAuthority cmdlet performs installation and configuration of the AD CS CA role service. References: Cannot manage Active Directory Certificate Services in Server 2012 Error 0x800070002; Active Directory Certificate Services (AD CS) Definitionhttp://searchwindowsserver.techtarget.com/definition/Active-Directory-Certificate-Services-AD-CS
The error message is related to missing role configuration. 
Cannot Manage Active Directory Certificate Services 
Resolution: configure the two Certification Authority and Certification Authority Web Enrollment Roles.
  
Active Directory Certificate Services (AD CS) is an Active Directory tool that lets administrators customize services in order to issue and manage public key certificates. 
AD CS included:
CA Web enrollment - connects users to a CA with a Web browser 
Certification authorities (CAs) - manages certificate validation and issues certificates 
Etc. 
Incorrect Answers:
A, E. The CA is installed, it just need to be configured correctly. 
Note: Install-AdcsCertificationAuthority
The Install-AdcsCertificationAuthority cmdlet performs installation and configuration of the AD CS CA role service. 
References: Cannot manage Active Directory Certificate Services in Server 2012 Error 0x800070002; Active Directory Certificate Services (AD CS) Definition
http://searchwindowsserver.techtarget.com/definition/Active-Directory-Certificate-Services-AD-CS
Question 3
Your network contains an Active Directory domain named contoso.com. 
A previous administrator implemented a Proof of Concept installation of Active Directory Rights Management Services (AD RMS). 
After the proof of concept was complete, the Active Directory Rights Management Services server role was removed. 
You attempt to deploy AD RMS. 
During the configuration of AD RMS, you receive an error message indicating that an existing AD RMS Service Connection Point (SCP) was found. 
You need to remove the existing AD RMS SCP. 
Which tool should you use?
  1. Active Directory Users and Computers
  2. Authorization Manager
  3. Active Directory Domains and Trusts
  4. Active Directory Sites and Services
  5. Active Directory Rights Management Services
Correct answer: E
Explanation:
ADRMS will registered the Service Connection Point (SCP) in Active Directory and you will need to unregister first before you remove the ADRMS server role. If your ADRMS server is still alive, you can easily manually remove the SCP by below:       Reference: How to manually remove or reinstall ADRMS
ADRMS will registered the Service Connection Point (SCP) in Active Directory and you will need to unregister first before you remove the ADRMS server role. 
If your ADRMS server is still alive, you can easily manually remove the SCP by below:
  
  
Reference: How to manually remove or reinstall ADRMS
Question 4
Your network contains an Active Directory domain named contoso.com. The domain contains a member server named Server1 that has the Active Directory Federation Services server role installed. 
All servers run Windows Server 2012. 
You complete the Active Directory Federation Services Configuration Wizard on Server1. 
You need to ensure that client devices on the internal network can use Workplace Join. 
Which two actions should you perform on Server1? (Each correct answer presents part of the solution. Choose two.)
  1. Run Enable-AdfsDeviceRegistration -PrepareActiveDirectory.
  2. Edit the multi-factor authentication global authentication policy settings.
  3. Run Enable-AdfsDeviceRegistration.
  4. Run Set-AdfsProxyProperties HttpPort 80.
  5. Edit the primary authentication global authentication policy settings.
Correct answer: CE
Explanation:
C. To enable Device Registration Service On your federation server, open a Windows PowerShell command window and type:Enable-AdfsDeviceRegistration Repeat this step on each federation farm node in your AD FS farm. E. Enable seamless second factor authentication Seamless second factor authentication is an enhancement in AD FS that provides an added level of access protection to corporate resources and applications from external devices that are trying to access them. When a personal device is Workplace Joined, it becomes a `known' device and administrators can use this information to drive conditional access and gate access to resources. To enable seamless second factor authentication, persistent single sign-on (SSO) and conditional access for Workplace Joined devices. In the AD FS Management console, navigate to Authentication Policies. Select Edit Global Primary Authentication. Select the check box next to Enable Device Authentication, and then click OK. Reference: Configure a federation server with Device Registration Service.
C. To enable Device Registration Service 
On your federation server, open a Windows PowerShell command window and type:
Enable-AdfsDeviceRegistration 
Repeat this step on each federation farm node in your AD FS farm. 
E. Enable seamless second factor authentication 
Seamless second factor authentication is an enhancement in AD FS that provides an added level of access protection to corporate resources and applications from external devices that are trying to access them. When a personal device is Workplace Joined, it becomes a `known' device and administrators can use this information to drive conditional access and gate access to resources. To enable seamless second factor authentication, persistent single sign-on (SSO) and conditional access for Workplace Joined devices. 
In the AD FS Management console, navigate to Authentication Policies. Select Edit Global Primary Authentication. Select the check box next to Enable Device Authentication, and then click OK. 
Reference: Configure a federation server with Device Registration Service.
Question 5
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Active Directory Certificate Services server role installed and is configured as an enterprise certification authority (CA). 
You need to ensure that all of the users in the domain are issued a certificate that can be used for the following purposes:
  • Email security 
  • Client authentication 
  • Encrypting File System (EFS) 
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
  1. From a Group Policy, configure the Certificate Services Client  Auto-Enrollment settings.
  2. From a Group Policy, configure the Certificate Services Client  Certificate Enrollment Policy settings.
  3. Modify the properties of the User certificate template, and then publish the template.
  4. Duplicate the User certificate template, and then publish the template.
  5. From a Group Policy, configure the Automatic Certificate Request Settings settings.
Correct answer: AD
Explanation:
The default user template supports all of the requirements EXCEPT auto enroll as shown below:    However a duplicated template from users has the ability to autoenroll:    The Automatic Certificate Request Settings GPO setting is only available to Computer, not user.     Reference: Manage Certificate Enrollment Policy by Using Group Policy.http://technet.microsoft.com/en-us/library/dd851772.aspx
The default user template supports all of the requirements EXCEPT auto enroll as shown below:
  
However a duplicated template from users has the ability to autoenroll:
  
The Automatic Certificate Request Settings GPO setting is only available to Computer, not user. 
  
Reference: Manage Certificate Enrollment Policy by Using Group Policy.
http://technet.microsoft.com/en-us/library/dd851772.aspx
Question 6
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server3 that runs Windows Server 2012 R2 and has the DHCP Server server role installed. 
DHCP is configured as shown in the exhibit. (Click the Exhibit button.) 
  
Scope1, Scope2, and Scope3 are configured to assign the IP addresses of two DNS servers to DHCP clients. The remaining scopes are NOT configured to assign IP addresses of DNS servers to DHCP clients.  
You need to ensure that only Scope1, Scope3, and Scope5 assign the same DNS servers to DHCP clients. The solution must minimize administrative effort. 
What should you do?
  1. Create a superscope and scope-level policies.
  2. Configure the Scope Options.
  3. Create a superscope and a filter.
  4. Configure the Server Options.
Correct answer: B
Explanation:
Any DHCP scope options can be configured for assignment to DHCP clients, such as DNS server. References: Configuring a DHCP Scope.https://technet.microsoft.com/en-us/library/dd759218.aspx
Any DHCP scope options can be configured for assignment to DHCP clients, such as DNS server. 
References: Configuring a DHCP Scope.
https://technet.microsoft.com/en-us/library/dd759218.aspx
Question 7
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the DNS Server server role installed. 
Server1 has a zone named contoso.com. The zone is configured as shown in the exhibit. (Click the Exhibit button.) 
 
 
You need to assign a user named User1 permission to add and delete records from the contoso.com zone only. 
What should you do first?
  1. Enable the Advanced view from DNS Manager.
  2. Add User1 to the DnsUpdateProxy group.
  3. Run the New Delegation Wizard.
  4. Configure the zone to be Active Directory-integrated.
Correct answer: D
Explanation:
Secure dynamic updates are only supported or configurable for resource records in zones that are stored in Active Directory Domain Services (AD DS). Note: To modify security for a resource recordOpen DNS Manager. In the console tree, click the applicable zone. In the details pane, click the record that you want to view. On the Action menu, click Properties. On the Security tab, modify the list of member users or groups that are allowed to securely update the applicable record and reset their permissions as needed. Reference: Modify Security for a Resource Record
Secure dynamic updates are only supported or configurable for resource records in zones that are stored in Active Directory Domain Services (AD DS). 
Note: To modify security for a resource record
  • Open DNS Manager. 
  • In the console tree, click the applicable zone. 
  • In the details pane, click the record that you want to view. 
  • On the Action menu, click Properties. 
  • On the Security tab, modify the list of member users or groups that are allowed to securely update the applicable record and reset their permissions as needed. 
Reference: Modify Security for a Resource Record
Question 8
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the DHCP Server server role installed. 
An administrator installs the IP Address Management (IPAM) Server feature on a server named Server2. The administrator configures IPAM by using Group Policy based provisioning and starts server discovery. 
You plan to create Group Policies for IPAM provisioning. 
You need to identify which Group Policy object (GPO) name prefix must be used for IPAM Group Policies. 
What should you do on Server2?
  1. From Server Manager, review the IPAM overview.
  2. Run the ipamgc.exe tool.
  3. From Task Scheduler, review the IPAM tasks.
  4. Run the Get-IpamConfiguration cmdlet.
Correct answer: D
Explanation:
Example:   
Example:
  
Question 9
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the DHCP Server server role installed. 
You need to create an IPv6 scope on Server1. The scope must use an address space that is reserved for private networks. The addresses must be routable. 
Which IPV6 scope prefix should you use?
  1. 2001:123:4567:890A::
  2. FE80:123:4567::
  3. FF00:123:4567:890A::
  4. FD00:123:4567::
Correct answer: D
Explanation:
A unique local address (ULA) is an IPv6 address in the block fc00::/7, defined in RFC 4193. It is the approximate IPv6 counterpart of the IPv4 private address. The address block fc00::/7 is divided into two /8 groups:The block fc00::/8 has not been defined yet.The block fd00::/8 is defined for /48 prefixes, formed by setting the 40 least-significant bits of the prefix to a randomly generated bit string.Prefixes in the fd00::/8 range have similar properties as those of the IPv4 private address ranges:They are not allocated by an address registry and may be used in networks by anyone without outside involvement. They are not guaranteed to be globally unique. Reverse Domain Name System (DNS) entries (under ip6.arpa) for fd00::/8 ULAs cannot be delegated in the global DNS.Reference: RFC 4193
A unique local address (ULA) is an IPv6 address in the block fc00::/7, defined in RFC 4193. It is the approximate IPv6 counterpart of the IPv4 private address. 
The address block fc00::/7 is divided into two /8 groups:
  • The block fc00::/8 has not been defined yet.
  • The block fd00::/8 is defined for /48 prefixes, formed by setting the 40 least-significant bits of the prefix to a randomly generated bit string.
Prefixes in the fd00::/8 range have similar properties as those of the IPv4 private address ranges:
  • They are not allocated by an address registry and may be used in networks by anyone without outside involvement. 
  • They are not guaranteed to be globally unique. 
  • Reverse Domain Name System (DNS) entries (under ip6.arpa) for fd00::/8 ULAs cannot be delegated in the global DNS.
Reference: RFC 4193
Question 10
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1 that runs Windows Server 2012 R2. DC1 has the DNS Server server role installed. 
The network contains client computers that run either Linux, Windows 7, or Windows 8.1. 
You have a standard primary zone named adatum.com as shown in the exhibit. (Click the Exhibit button.) 
  
You plan to configure Name Protection on all of the DHCP servers. 
You need to configure the adatum.com zone to support Name Protection. 
Which two configurations should you perform from DNS Manager? (Each correct answer presents part of the solution. Choose two.)
  1. Sign the zone.
  2. Store the zone in Active Directory.
  3. Modify the Security settings of the zone.
  4. Configure Dynamic updates.
  5. Add a DNS key record
Correct answer: BD
Explanation:
Name protection requires secure update to work. Without name protection DNS names may be hijacked. You can use the following procedures to allow only secure dynamic updates for a zone. Secure dynamic update is supported only for Active Directoryintegrated zones. If the zone type is configured differently, you must change the zone type and directory-integrate the zone before securing it for Domain Name System (DNS) dynamic updates. 1. (B) Convert primary DNS server to Active Directory integrated primary 2. (D) Enable secure dynamic updates     Reference: DHCP: Secure DNS updates should be configured if Name Protection is enabled on any IPv4 scopehttp://technet.microsoft.com/en-us/library/ee941152(v=ws.10).aspx
Name protection requires secure update to work. Without name protection DNS names may be hijacked. 
You can use the following procedures to allow only secure dynamic updates for a zone. Secure dynamic update is supported only for Active Directoryintegrated zones. If the zone type is configured differently, you must change the zone type and directory-integrate the zone before securing it for Domain Name System (DNS) dynamic updates. 
1. (B) Convert primary DNS server to Active Directory integrated primary 
2. (D) Enable secure dynamic updates 
  
Reference: DHCP: Secure DNS updates should be configured if Name Protection is enabled on any IPv4 scope
http://technet.microsoft.com/en-us/library/ee941152(v=ws.10).aspx
CONNECT US
HOW TO OPEN VCE FILES

Use VCE Exam Simulator to open VCE files
Avanaset

HOW TO OPEN VCEX AND EXAM FILES

Use ProfExam Simulator to open VCEX and EXAM files
ProfExam Screen

ProfExam
ProfExam at a 20% markdown

You have the opportunity to purchase ProfExam at a 20% reduced price

Get Now!