Microsoft 70-411 Exam – Q123

Your network contains an Active Directory forest named contoso.com. The functional level of the forest is Windows Server 2008 R2. All of the user accounts in the marketing department are members of a group named Contoso\MarketingUsers. All of the computer accounts in the marketing department are members of a group named Contoso\MarketingComputers.

A domain user named User1 is a member of the Contoso\MarketingUsers group. A computer named Computer1 is a member of the Contoso\MarketingComputers group. You have five Password Settings objects (PSOs). The PSOs are defined as shown in the following table.
123a

When User1 logs on to Computer1 and attempts to change her password, she receives an error message indicating that her password is too short.

You need to tell User1 what her minimum password length is. What should you tell User1?

A. 10
B. 11
C. 12
D. 14

Correct Answer: A

Explanation:
If multiple PSOs are linked to a user or group, the resultant PSO that is applied is determined as follows:

1. A PSO that is linked directly to the user object is the resultant PSO. (Multiple PSOs should not be directly linked to a user object.)

2. If no PSO is linked directly to the user object, the global security group memberships of the user, and all PSOs that are applicable to the user based on those global group memberships, are compared. The PSO with the lowest precedence value is the resultant PSO.

3. If no PSO is obtained from conditions (1) and (2), the Default Domain Policy is applied.
https://technet.microsoft.com/en-us/library/cc770394

Microsoft 70-411 Exam – Q122

Your network contains an Active Directory domain named contoso.com. All domain controllers run either Windows Server 2008 or Windows Server 2008 R2.

You deploy a new domain controller named DC1 that runs Windows Server 2012 R2. You log on to DC1 by using an account that is a member of the Domain Admins group. You discover that you cannot create Password Settings objects (PSOs) by using Active Directory Administrative Center. You need to ensure that you can create PSOs from Active Directory Administrative Center.

What should you do?

A. Modify the membership of the Group Policy Creator Owners group.
B. Transfer the PDC emulator operations master role to DC1.
C. Upgrade all of the domain controllers that run Window Server 2008.
D. Raise the functional level of the domain.

Correct Answer: D

Explanation:
Fine-grained password policies apply only global security groups and user objects. By default, only members of the Domain Admins group can set fine grained password policies. However, you can also delegate the ability to set these policies to other users. The domain functional level must be Windows Server 2008 or higher.

https://technet.microsoft.com/en-us/library/hh831702.aspx

Microsoft 70-411 Exam – Q121

Your network contains an Active Directory domain named contoso.com. The domain contains six domain controllers. The domain controllers are configured as shown in the following table.

121a

The network contains a server named Server1 that has the Hyper-v server role installed. DC6 is a virtual machine that is hosted on Server1.

You need to ensure that you can clone DC6.

Which FSMO role should you transfer to DC2?
A. Rid master
B. Domain naming master
C. PDC emulator
D. Infrastructure master

Correct Answer: C

Explanation:
The clone domain controller uses the security context of the source domain controller (the domain controller whose copy it represents) to contact the Windows Server 2012 Primary Domain Controller (PDC) emulator operations master role holder (also known as flexible single master operations, or FSMO). The PDC emulator must be running Windows Server 2012, but it does not have to be running on a hypervisor.

https://technet.microsoft.com/en-us/library/hh831734.aspx

Microsoft 70-411 Exam – Q120

Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2. The domain contains a server named Server1 that has the Network Policy Server server role and the Remote Access server role installed. The domain contains a server named Server2 that is configured as a RADIUS server. Server1 provides VPN access to external users.

You need to ensure that all of the VPN connections to Server1 are logged to the RADIUS server on Server2.

What should you run?

A. Add-RemoteAccessRadius -ServerName Server1 -AccountingOnOffMsg Enabled -SharedSecret “Secret” -Purpose Accounting
B. Set-RemoteAccessAccounting -AccountingOnOffMsg Enabled -AccountingOnOffMsg Enabled
C. Add-RemoteAccessRadius -ServerName Server2 -AccountingOnOffMsg Enabled -SharedSecret “Secret” -Purpose Accounting
D. Set-RemoteAccessAccounting -EnableAccountingType Inbox -AccountingOnOffMsg Enabled

Correct Answer: C

Explanation:
The Add-RemoteAccessRadius cmdlet adds a new external RADIUS server for one of the following purposes:
— Accounting Radius configuration applies to both DirectAccess (DA) and VPN.
— One-time password (OTP) RADIUS configuration applies only to DA.
— Authentication Radius configuration applies only to VPN.

Radius server configuration for Accounting and OTP are global in nature, such as the configurations apply to the entire Remote Access deployment.

RADIUS server configuration for VPN applies only to a specific VPN server, and all servers in a load balancing cluster, or if multi-site is deployed, to all VPN servers at a site.

Following describes aspects of this cmdlet behavior.
— If a RADIUS server is currently being used for a specific purpose, then it can be added for additional purpose using this cmdlet.

— The RADIUS server properties for authentication and accounting are the same except for the AccountingOnOffMsg parameter which is applicable only to accounting RADIUS and the MsgAuthenticator parameter which is applicable only to authentication RADIUS. These properties are not relevant for DA OTP authentication.

— If a user tries to add a RADIUS server for a particular purpose but specifies a parameter that is not applicable to that purpose, then this cmdlet will still run but the parameter will be ignored and a warning message will be issued. When adding a RADIUS server for OTP authentication both the above described parameters are ignored if specified.

— If the accounting configuration is Windows Server® 2012 accounting, then a user can switch to external RADIUS accounting by adding an external RADIUS server for the purpose of accounting.

— Following are some pre-requisites for adding a RADIUS server.
—- A RADIUS server cannot be added for authentication when VPN is not even installed.
—- A RADIUS server cannot be added for authentication when the authentication type is Windows or when local NPS is installed.
—- A RADIUS server cannot be added for the purpose of accounting when external RADIUS accounting is not enabled.
—- A RADIUS server cannot be added for purpose of OTP authentication if OTP authentication is not enabled.

Parameters:
-ServerName

Microsoft 70-411 Exam – Q119

Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the Network Policy Server role service installed.

An administrator creates a RADIUS client template named Template1. You create a RADIUS client named Client1 by using Template1. You need to modify the shared secret for Client1.

What should you do first?

A. Configure the Advanced settings of Template1.
B. Set the Shared secret setting of Template1 to Manual.
C. Clear Enable this RADIUS client for Client1.
D. Clear Select an existing template for Client1.

Correct Answer: D

Explanation:
You can use Network Policy Server (NPS) templates to create configuration elements, such as Remote Authentication Dial-In User Service (RADIUS) clients or shared secrets, that you can reuse on the local NPS server and export for use on other NPS servers. Templates Management provides a node in the NPS console where you can create, modify, delete, duplicate, and view the use of NPS templates. NPS templates are designed to reduce the amount of time and cost that it takes to configure NPS on one or more servers.

119a

https://technet.microsoft.com/en-us/library/ee663945(v=ws.10).aspx

Microsoft 70-411 Exam – Q118

You are a network administrator of an Active Directory domain named contoso.com. You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the DHCP Server server role and the Network Policy Server role service installed.

You enable Network Access Protection (NAP) on all of the DHCP scopes on Server1. You need to create a DHCP policy that will apply to all of the NAP non-compliant DHCP clients.

Which criteria should you specify when you create the DHCP policy?

A. The client identifier
B. The user class
C. The vendor class
D. The relay agent information

Correct Answer: B

Explanation:

To configure a NAP-enabled DHCP server

1. On the DHCP server, click Start, click Run, in Open, type dhcpmgmt.smc, and then press ENTER.

2. In the DHCP console, open \IPv4.

3. Right-click the name of the DHCP scope that you will use for NAP client computers, and then click Properties.

4. On the Network Access Protection tab, under Network Access Protection Settings, choose Enable for this scope, verify that Use default Network Access Protection profile is selected, and then click OK.

5. In the DHCP console tree, under the DHCP scope that you have selected, right-click Scope Options, and then click Configure Options.

6. On the Advanced tab, verify that Default User Class is selected next to User class.

7. Select the 003 Router check box, and in IP Address, under Data entry, type the IP address for the default gateway used by compliant NAP client computers, and then click Add.

8. Select the 006 DNS Servers check box, and in IP Address, under Data entry, type the IP address for each router to be used by compliant NAP client computers, and then click Add.

9. Select the 015 DNS Domain Name check box, and in String value, under Data entry, type your organization’s domain name (for example, woodgrovebank.local), and then click Apply. This domain is a full-access network assigned to compliant NAP clients.

10. On the Advanced tab, next to User class, choose Default Network Access Protection Class.

11. Select the 003 Router check box, and in IP Address, under Data entry, type the IP address for the default gateway used by noncompliant NAP client computers, and then click Add. This can be the same default gateway that is used by compliant NAP clients.
Note: The default gateway will not be used by noncompliant NAP client computers unless it is required to create static host routes to the DHCP server or to remediation servers.

12. Select the 006 DNS Servers check box, and in IP Address, under Data entry, type the IP address for each DNS server to be used by noncompliant NAP client computers, and then click Add. These can be the same DNS servers used by compliant NAP clients.

13. Select the 015 DNS Domain Name check box, and in String value, under Data entry, type a name to identify the restricted domain (for example, restricted.woodgrovebank.local), and then click OK. This domain is a restricted-access network assigned to noncompliant NAP clients.

14. Click OK to close the Scope Options dialog box.

15. Close the DHCP console.

https://msdn.microsoft.com/en-us/library/dd296905(v=ws.10).aspx

Microsoft 70-411 Exam – Q117

Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2.

You enable and configure Routing and Remote Access (RRAS) on Server1. You create a user account named User1. You need to ensure that User1 can establish VPN connections to Server1.

What should you do?

A. Create a network policy.
B. Create a connection request policy.
C. Add a RADIUS client.
D. Modify the members of the Remote Management Users group.

Correct Answer: A

Explanation:

Network policies are sets of conditions, constraints, and settings that allow you to designate who is authorized to connect to the network and the circumstances under which they can or cannot connect.

https://technet.microsoft.com/en-us/library/cc754107.aspx

Microsoft 70-411 Exam – Q116

Your company has offices in five locations around the country. Most of the users’ activity is local to their own network. Occasionally, some of the users in one location need to send confidential information to one of the other four locations or to retrieve information from one of them. The communication between the remote locations is sporadic and relatively infrequent, so you have configured RRAS to use demand-dial lines to set up the connections.

Management’s only requirement is that any communication between the office locations be appropriately secured.

Which of the following steps should you take to ensure compliance with this requirement?(Each correct answer presents part of the solution. Choose two.)

A. Configure CHAP on all the RRAS servers.
B. Configure PAP on all the RRAS servers.
C. Configure MPPE on all the RRAS servers.
D. Configure L2TP on all the RRAS servers.
E. Configure MS-CHAPv2 on all the RRAS servers.

Correct Answer: C, E

Explanation:

Structure of a PPTP packet containing an IP datagram
116a

The PPP frame is encrypted with Microsoft Point-to-Point Encryption (MPPE) by using encryption keys generated from the Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) or Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication process. Virtual private networking clients must use the MS-CHAP v2 or EAP-TLS authentication protocols in order for the payloads of PPP frames to be encrypted. PPTP is taking advantage of the underlying PPP encryption and encapsulating a previously encrypted PPP frame.

https://technet.microsoft.com/en-us/library/dd469817

Microsoft 70-411 Exam – Q115

Your network contains two Active Directory domains named contoso.com and adatum.com. The network contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the DNS Server server role installed. Server1 has a copy of the contoso.com DNS zone.

You need to configure Server1 to resolve names in the adatum.com domain. The solution must meet the following requirements:

– Prevent the need to change the configuration of the current name servers that host zones for adatum.com.
– Minimize administrative effort.

Which type of zone should you create?

A. Secondary
B. Stub
C. Reverse lookup
D. Primary

Correct Answer: B

Explanation:

Primary zone
When a zone that this DNS server hosts is a primary zone, the DNS server is the primary source for information about this zone, and it stores the master copy of zone data in a local file or in AD DS. When the zone is stored in a file, by default the primary zone file is namedzone_name.dns and it is located in the %windir%\System32\Dns folder on the server.

Secondary zone
When a zone that this DNS server hosts is a secondary zone, this DNS server is a secondary source for information about this zone. The zone at this server must be obtained from another remote DNS server computer that also hosts the zone. This DNS server must have network access to the remote DNS server that supplies this server with updated information about the zone. Because a secondary zone is merely a copy of a primary zone that is hosted on another server, it cannot be stored in AD DS.

Stub zone

When a zone that this DNS server hosts is a stub zone, this DNS server is a source only for information about the authoritative name servers for this zone. The zone at this server must be obtained from another DNS server that hosts the zone. This DNS server must have network access to the remote DNS server to copy the authoritative name server information about the zone.

You can use stub zones to:
– Keep delegated zone information current. By updating a stub zone for one of its child zones regularly, the DNS server that hosts both the parent zone and the stub zone will maintain a current list of authoritative DNS servers for the child zone.

– Improve name resolution. Stub zones enable a DNS server to perform recursion using the stub zone’s list of name servers, without having to query the Internet or an internal root server for the DNS namespace.

– Simplify DNS administration. By using stub zones throughout your DNS infrastructure, you can distribute a list of the authoritative DNS servers for a zone without using secondary zones. However, stub zones do not serve the same purpose as secondary zones, and they are not an alternative for enhancing redundancy and load sharing.

https://technet.microsoft.com/en-us/library/cc771898.aspx

Microsoft 70-411 Exam – Q114

Your network contains an Active Directory domain named contoso.com. The domain contains a Web server named www.contoso.com. The Web server is available on the Internet.

You implement DirectAccess by using the default configuration. You need to ensure that users never attempt to connect to www.contoso.com by using DirectAccess. The solution must not prevent the users from using DirectAccess to access other resources in contoso.com.

Which settings should you configure in a Group Policy object (GPO)?

A. DirectAccess Client Experience Settings
B. DNS Client
C. Name Resolution Policy
D. Network Connections

Correct Answer: C

Explanation:
When a DirectAccess client is on the Internet, the Name Resolution Policy Table (NRPT) sends DNS name queries for intranet resources to intranet DNS servers. A typical NRPT for DirectAccess will have a rule for the namespace of the organization, such as contoso.com for the Contoso Corporation, with the Internet Protocol version 6 (IPv6) addresses of intranet DNS servers. With just this rule in the NRPT, when a user on a DirectAccess client on the Internet attempts to access the uniform resource locator (URL) for their Web site (such as http://www.contoso.com), they will see the intranet version. Because of this rule, they will never see the public version of this URL when they are on the Internet.

https://technet.microsoft.com/en-us/library/ee382323(v=ws.10).aspx