70-412: Configuring Advanced Windows Server 2012 Services

Your network contains two Active Directory forests named contoso.com and adatum.com. Contoso.com contains one domain. Adatum.com contains a child domain named child.adatum.com.

Contoso.com has a one-way forest trust to adatum.com. Selective authentication is enabled on the forest trust.

Several user accounts are migrated from child.adatum.com to adatum.com. Users report that after the migration, they fail to access resources in contoso.com. The users successfully accessed the resources in contoso.com before the accounts were migrated.

You need to ensure that the migrated users can access the resources in contoso.com.

What should you do?

Replace the existing forest trust with an external trust.
Run netdom and specify the /quarantine attribute.
Disable SID filtering on the existing forest trust.
Disable selective authentication on the existing forest trust.

Correct answer: C

Explanation:

Security Considerations for Trusts Need to gain access to the resources in contoso.com Disabling SID Filter Quarantining on External Trusts Although it reduces the security of your forest (and is therefore not recommended), you can disable SID filter quarantining for an external trust by using the Netdom.exe tool. You should consider disabling SID filter quarantining only in the following situations:* Users have been migrated to the trusted domain with their SID histories preserved, and you want to grant them access to resources in the trusting domain based on the SID history attribute. Etc. Incorrect Answers:B. Enables administrators to manage Active Directory domains and trust relationships from the command prompt, /quarantine Sets or clears the domain quarantine. D. Selective authentication over a forest trust restricts access to only those users in a trusted forest who have been explicitly given authentication permissions to computer objects (resource computers) that reside in the trusting forest. References: Security Considerations for Trustshttps://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx

Security Considerations for Trusts

Need to gain access to the resources in contoso.com

Disabling SID Filter Quarantining on External Trusts

Although it reduces the security of your forest (and is therefore not recommended), you can disable SID filter quarantining for an external trust by using the Netdom.exe tool. You should consider disabling SID filter quarantining only in the following situations:

* Users have been migrated to the trusted domain with their SID histories preserved, and you want to grant them access to resources in the trusting domain based on the SID history attribute.

Etc.

Incorrect Answers:

B. Enables administrators to manage Active Directory domains and trust relationships from the command prompt, /quarantine Sets or clears the domain quarantine.

D. Selective authentication over a forest trust restricts access to only those users in a trusted forest who have been explicitly given authentication permissions to computer objects (resource computers) that reside in the trusting forest.

References: Security Considerations for Trusts

https://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx

Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. The domain contains two domain controllers.

The domain controllers are configured as shown in the following table.

You configure a user named User1 as a delegated administrator of DC10.

You need to ensure that User1 can log on to DC10 if the network link between the Main site and the Branch site fails.

What should you do?

Add User1 to the Domain Admins group.
On DC10, modify the User Rights Assignment in Local Policies.
Run repadmin and specify the /prp parameter.
On DC10, run ntdsutil and configure the settings in the Roles context.
Run repadmin and specify /replsingleobject parameter.
On DC1, modify the User Rights Assignment in Default Controllers Group Policy object (GPO).

Correct answer: C

Explanation:

repadmin /prp will allow the password caching of the local administrator to the RODC. This command lists and modifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs). References: RODC Administrationhttps://technet.microsoft.com/en-us/library/cc755310%28v=ws.10%29.aspx

repadmin /prp will allow the password caching of the local administrator to the RODC.

This command lists and modifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs).

References: RODC Administration

https://technet.microsoft.com/en-us/library/cc755310%28v=ws.10%29.aspx

Your company has offices in Montreal, New York, and Amsterdam.

The network contains an Active Directory forest named contoso.com. An Active Directory site exists for each office. All of the sites connect to each other by using the DEFAULTIPSITELINK site link.

You need to ensure that only between 20:00 and 08:00, the domain controllers in the Montreal office replicate the Active Directory changes to the domain controllers in the Amsterdam office.

The solution must ensure that the domain controllers in the Montreal and the New York offices can replicate the Active Directory changes any time of day.

What should you do?

Create a new site link that contains Montreal and Amsterdam. Remove Amsterdam from DEFAULTIPSITE1INK. Modify the schedule of DEFAULTIPSITELINK.
Create a new site link that contains Montreal and Amsterdam. Create a new site link bridge. Modify the schedule of DEFAULTIPSITELINK.
Create a new site link that contains Montreal and Amsterdam. Remove Amsterdam from DEFAULTIPSITELINK. Modify the schedule of the new site link.
Create a new site link that contains Montreal and Amsterdam. Create a new site link bridge. Modify the schedule of the new site link.

Correct answer: C

Explanation:

We create a new site link between Montreal and Amsterdam and schedule it only between 20:00 and08:00. To ensure that traffic between Montreal and Amsterdam only occurs at this time we also remove Amsterdam from the DEFAULTIPSITELINK.References:https://technet.microsoft.com/en-us/library/cc755994(v=ws.10).aspx

We create a new site link between Montreal and Amsterdam and schedule it only between 20:00 and

08:00. To ensure that traffic between Montreal and Amsterdam only occurs at this time we also remove Amsterdam from the DEFAULTIPSITELINK.

References:

https://technet.microsoft.com/en-us/library/cc755994(v=ws.10).aspx

Your network contains two Web servers named Server1 and Server2. Both servers run Windows Server 2012 R2.

Server1 and Server2 are nodes in a Network Load Balancing (NLB) cluster. The NLB cluster contains an application named App1 that is accessed by using the URL http://app1.contoso.com.

You plan to perform maintenance on Server1.

You need to ensure that all new connections to App1 are directed to Server2. The solution must not disconnect the existing connections to Server1.

What should you run?

The Set-NlbCluster cmdlet
The Set-NlbClusterNode cmdlet
The Stop-NlbCluster cmdlet
The Stop-NlbClusterNode cmdlet
The Suspend-NlbClusterNode cmdlet
The nlb.exe suspend command

Correct answer: D

Explanation:

The Stop-NlbClusterNode cmdlet stops a node in an NLB cluster. When you use the stop the nodes in the cluster, client connections that are already in progress are interrupted. To avoid interrupting active connections, consider using the -drain parameter, which allows the node to continue servicing active connections but disables all new traffic to that node. -Drain <SwitchParameter> Drains existing traffic before stopping the cluster node. If this parameter is omitted, existing traffic will be dropped. References:https://docs.microsoft.com/en-us/powershell/module/networkloadbalancingclusters/stop-nlbclusternode

The Stop-NlbClusterNode cmdlet stops a node in an NLB cluster. When you use the stop the nodes in the cluster, client connections that are already in progress are interrupted. To avoid interrupting active connections, consider using the -drain parameter, which allows the node to continue servicing active connections but disables all new traffic to that node.

-Drain <SwitchParameter>

Drains existing traffic before stopping the cluster node. If this parameter is omitted, existing traffic will be dropped.

References:

https://docs.microsoft.com/en-us/powershell/module/networkloadbalancingclusters/stop-nlbclusternode

Your network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2. All servers run Windows Server 2012 R2.

Server1 and Server2 have the Failover Clustering feature installed. The servers are configured as nodes in a failover cluster named Cluster1. Cluster1 contains a cluster disk resource.

A developer creates an application named App1. App1 is NOT a cluster-aware application. App1 runs as a service. App1 stores data on the cluster disk resource.

You need to ensure that App1 runs in Cluster1. The solution must minimize development effort.

Which cmdlet should you run?

Add-ClusterGenericServiceRole
Add-ClusterGenericApplicationRole
Add-ClusterScaleOutFileServerRole
Add-ClusterServerRole

Correct answer: B

Explanation:

Add-ClusterGenericApplicationRole Configure high availability for an application that was not originally designed to run in a failover cluster. If you run an application as a Generic Application, the cluster software will start the application, then periodically query the operating system to see whether the application appears to be running. If so, it is presumed to be online, and will not be restarted or failed over. EXAMPLE 1. Command Prompt: C:\PS>Add-ClusterGenericApplicationRole -CommandLine NewApplication.exe Name OwnerNode State ---- --------- ----- cluster1GenApp node2 Online Description ----------- This command configures NewApplication.exe as a generic clustered application. A default name will be used for client access and this application requires no storage. Reference: Add-ClusterGenericApplicationRolehttp://technet.microsoft.com/en-us/library/ee460976.aspx

Add-ClusterGenericApplicationRole

Configure high availability for an application that was not originally designed to run in a failover cluster.

If you run an application as a Generic Application, the cluster software will start the application, then periodically query the operating system to see whether the application appears to be running. If so, it is presumed to be online, and will not be restarted or failed over.

EXAMPLE 1.

Command Prompt: C:\PS>

Add-ClusterGenericApplicationRole -CommandLine NewApplication.exe

Name OwnerNode State

---- --------- -----

cluster1GenApp node2 Online

Description

-----------

This command configures NewApplication.exe as a generic clustered application. A default name will be used for client access and this application requires no storage.

Reference: Add-ClusterGenericApplicationRole

http://technet.microsoft.com/en-us/library/ee460976.aspx

Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. The system properties of Server1 are shown in the exhibit. (Click the Exhibit button.)

You need to configure Server1 as an enterprise subordinate certification authority (CA).

What should you do first?

Add RAM to the server.
Set the Startup Type of the Certificate Propagation service to Automatic.
Install the Certification Authority Web Enrollment role service.
Join Server1 to the contoso.com domain.

Correct answer: D

Explanation:

Enterprise CAs must be domain members. From the exhibit we see that it is only a Workgroup member. Note:A new CA can be the root CA of a new PKI or subordinate to another in an existing PKI. Enterprise subordinate certification authority. An enterprise subordinate CA must get a CA certificate from an enterprise root CA but can then issue certificates to all users and computers in the enterprise. These types of CAs are often used for load balancing of an enterprise root CA. References:https://forsenergy.com/en-us/certsvr/html/e9bd1194-e088-4671-840f-0847cf5ee2a0.htm

Enterprise CAs must be domain members. From the exhibit we see that it is only a Workgroup member.

Note:

A new CA can be the root CA of a new PKI or subordinate to another in an existing PKI.

Enterprise subordinate certification authority.

An enterprise subordinate CA must get a CA certificate from an enterprise root CA but can then issue certificates to all users and computers in the enterprise. These types of CAs are often used for load balancing of an enterprise root CA.

References:

https://forsenergy.com/en-us/certsvr/html/e9bd1194-e088-4671-840f-0847cf5ee2a0.htm

Your network contains an Active directory forest named contoso.com. The forest contains two child domains named east.contoso.com and west.contoso.com.

You install an Active Directory Rights Management Services (AD RMS) cluster in each child domain.

You discover that all of the users in the contoso.com forest are directed to the AD RMS cluster in east.contoso.com.

You need to ensure that the users in west.contoso.com are directed to the AD RMS cluster in west.contoso.com and that the users in east.contoso.com are directed to the AD RMS cluster in east.contoso.com.

What should you do?

Modify the Service Connection Point (SCP).
Configure the Group Policy object (GPO) settings of the users in the west.contoso.com domain.
Configure the Group Policy object (GPO) settings of the users in the east.contoso.com domain.
Modify the properties of the AD RMS cluster in west.contoso.com.

Correct answer: B

Explanation:

The west.contoso.com are the ones in trouble that need to be redirected to the west.contoso.com not the east.contoso.com. Note: It is recommended that you use GPO to deploy AD RMS client settings and that you only deploy settings as needed.References:https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj735304(v=ws.11)

The west.contoso.com are the ones in trouble that need to be redirected to the west.contoso.com not the east.contoso.com.

Note: It is recommended that you use GPO to deploy AD RMS client settings and that you only deploy settings as needed.

References:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj735304(v=ws.11)

You have a server named Server1 that runs Windows Server 2012 R2.

From Server Manager, you install the Active Directory Certificate Services server role on Server1.

A domain administrator named Admin1 logs on to Server1.

When Admin1 runs the Certification Authority console, Admin1 receive the following error message.

You need to ensure that when Admin1 opens the Certification Authority console on Server1, the error message does not appear.

What should you do?

Install the Active Directory Certificate Services (AD CS) tools.
Run the regsvr32.exe command.
Modify the PATH system variable.
Configure the Active Directory Certificate Services server role from Server Manager.
Run the Install-AdcsCertificationAuthority cmdlet.
Add Admin1 to the Cert Publishers group.
Add Admin1to the Enterprise Admins group.
Run the Install-WindowsFeature cmdlet

Correct answer: D

Explanation:

The error message is related to missing role configuration. Cannot Manage Active Directory Certificate Services Resolution: configure the two Certification Authority and Certification Authority Web Enrollment Roles. Active Directory Certificate Services (AD CS) is an Active Directory tool that lets administrators customize services in order to issue and manage public key certificates. AD CS included:CA Web enrollment - connects users to a CA with a Web browser Certification authorities (CAs) - manages certificate validation and issues certificates Etc. Incorrect Answers:A, E. The CA is installed, it just need to be configured correctly. Note: Install-AdcsCertificationAuthorityThe Install-AdcsCertificationAuthority cmdlet performs installation and configuration of the AD CS CA role service. References: Cannot manage Active Directory Certificate Services in Server 2012 Error 0x800070002; Active Directory Certificate Services (AD CS) Definitionhttp://searchwindowsserver.techtarget.com/definition/Active-Directory-Certificate-Services-AD-CS

The error message is related to missing role configuration.

Cannot Manage Active Directory Certificate Services

Resolution: configure the two Certification Authority and Certification Authority Web Enrollment Roles.

Active Directory Certificate Services (AD CS) is an Active Directory tool that lets administrators customize services in order to issue and manage public key certificates.

AD CS included:

CA Web enrollment - connects users to a CA with a Web browser

Certification authorities (CAs) - manages certificate validation and issues certificates

Etc.

Incorrect Answers:

A, E. The CA is installed, it just need to be configured correctly.

Note: Install-AdcsCertificationAuthority

The Install-AdcsCertificationAuthority cmdlet performs installation and configuration of the AD CS CA role service.

References: Cannot manage Active Directory Certificate Services in Server 2012 Error 0x800070002; Active Directory Certificate Services (AD CS) Definition

http://searchwindowsserver.techtarget.com/definition/Active-Directory-Certificate-Services-AD-CS

Your network contains an Active Directory domain named contoso.com. The domain contains a member server named Server1 that has the Active Directory Federation Services server role installed.

All servers run Windows Server 2012.

You complete the Active Directory Federation Services Configuration Wizard on Server1.

You need to ensure that client devices on the internal network can use Workplace Join.

Which two actions should you perform on Server1? (Each correct answer presents part of the solution. Choose two.)

Run Enable-AdfsDeviceRegistration -PrepareActiveDirectory.
Edit the multi-factor authentication global authentication policy settings.
Run Enable-AdfsDeviceRegistration.
Run Set-AdfsProxyProperties HttpPort 80.
Edit the primary authentication global authentication policy settings.

Correct answer: CE

Explanation:

C. To enable Device Registration Service On your federation server, open a Windows PowerShell command window and type:Enable-AdfsDeviceRegistration Repeat this step on each federation farm node in your AD FS farm. E. Enable seamless second factor authentication Seamless second factor authentication is an enhancement in AD FS that provides an added level of access protection to corporate resources and applications from external devices that are trying to access them. When a personal device is Workplace Joined, it becomes a `known' device and administrators can use this information to drive conditional access and gate access to resources. To enable seamless second factor authentication, persistent single sign-on (SSO) and conditional access for Workplace Joined devices. In the AD FS Management console, navigate to Authentication Policies. Select Edit Global Primary Authentication. Select the check box next to Enable Device Authentication, and then click OK. References:https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/configure-a-federation-server-with-device-registration-service

C. To enable Device Registration Service

On your federation server, open a Windows PowerShell command window and type:

Enable-AdfsDeviceRegistration

Repeat this step on each federation farm node in your AD FS farm.

E. Enable seamless second factor authentication

Seamless second factor authentication is an enhancement in AD FS that provides an added level of access protection to corporate resources and applications from external devices that are trying to access them. When a personal device is Workplace Joined, it becomes a `known' device and administrators can use this information to drive conditional access and gate access to resources. To enable seamless second factor authentication, persistent single sign-on (SSO) and conditional access for Workplace Joined devices.

In the AD FS Management console, navigate to Authentication Policies. Select Edit Global Primary Authentication. Select the check box next to Enable Device Authentication, and then click OK.

References:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/configure-a-federation-server-with-device-registration-service

Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Active Directory Certificate Services server role installed and is configured as an enterprise certification authority (CA).

You need to ensure that all of the users in the domain are issued a certificate that can be used for the following purposes:

Email security
Client authentication
Encrypting File System (EFS)

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

From a Group Policy, configure the Certificate Services Client Auto-Enrollment settings.
From a Group Policy, configure the Certificate Services Client Certificate Enrollment Policy settings.
Modify the properties of the User certificate template, and then publish the template.
Duplicate the User certificate template, and then publish the template.
From a Group Policy, configure the Automatic Certificate Request Settings settings.

Correct answer: AD

Explanation:

The default user template supports all of the requirements EXCEPT auto enroll as shown below: However a duplicated template from users has the ability to autoenroll: The Automatic Certificate Request Settings GPO setting is only available to Computer, not user. References:https://technet.microsoft.com/en-us/library/dd851772.aspx

The default user template supports all of the requirements EXCEPT auto enroll as shown below: