RADIUS Clients Shared Secrets IP Filters

Transcription

1 Remote users connect to your network through a virtual private network [VPN] connection over the Internet. One of the resources that they need to access is a file sewer named FS1. The antivirus software on FS1 reports an attempted virus infection on the server. You trace it back to one of the remote users. You need to minimize the chance of this happening in the future. You deploy Network Access Protection [NAP] with Routing and Remote Access [RRAS]. You need to configure the appropriate NAP health policy settings. Which two health policy settings should you configure? [Each correct answer presents part of the solution. Choose two.] The client computer has current antivirus updates installed. The client computer has firewall software installed and enabled. Microsoft Update Services is enabled on the client computer. The client computer has antivirus software installed and running. The client computer has antispyware software installed and running. The client computer has current antispyware updates installed. The client computer has current antivirus updates installed. The client computer has antivirus software installed and running. You should configure these two policies: The client computer has antivirus software installed and running. The client computer has current antivirus updates installed. This will cause NAP to evaluate the health of the remote client computer to determine if antivirus software is installed and running and if the antivirus updates are current. This will help ensure that the client computer is not virus-infected, which will help prevent the spread of viruses. If a computer fails the health validation, you can configure NAP to either not allow the client access to the network or allow limited access only. In many cases, you can configure automatic remediation, that is, have NAP take steps to correct the problem automatically. In this situation, these policies are not required: *The client computer has antispyware software installed and running. *The client computer has current antispyware updates installed. The problem reported was with a virus, not with spyware. In this situation, there is no reason to verify that firewall software is installed and configured or if Windows Update Services are installed. Which statement is correct about DirectAccess with Microsoft Windows Server 2012? Permits remote users running Microsoft Windows Vista or Windows 7 to access network resources with the launch of a virtual private network [VPN] connection. Permits remote users running Microsoft Windows 7 or Windows 8 to access network resources without having to open a virtual private network [VPN] connection. Permits remote users running Microsoft Windows Vista or Windows 7 to access network resources without having to open a virtual private network [VPN] connection. Permits remote users running Microsoft Windows 7 or Windows 8 to access network resources with the launch of a virtual private network NPN] connection. Permits remote users running Microsoft Windows 7 or Windows 8 to access network resources without having to open a virtual private network [VPN] connection DirectAccess, a feature in Windows Server allows you to effortlessly access your company's network from an Internetequipped remote location without opening a [VPN] connection. The end user must be running the Windows 7 or Windows 8 operating system to utilize Direct Access. Which three Network Policy Sewer [NPS] templates can be configured in Templates Management? [Choose three.] VPN RADIUS Clients Shared Secrets IP Filters RADIUS Clients Shared Secrets IP Filters These NPS templates can be configured in Templates Management: *Shared Secrets *RADIUS Clients *Remote RADIUS Sewers *lp Filters *Health Policies *Remediation Server Groups You are an engineer for a company that has an Active Directory Domain Services [AD DS] domain named example. com. You are exploring the benefits of implementing Group Managed Service Accounts [gmsas] in your domain. You test setting one of the accounts up in your test domain named example. test. The domain has a Windows Server 2012 server joined to it. You start with the best practice of creating a global security group to hold the objects that are going to be managed. Next, you invoke this PowerShell [PS] cmdletz New- ADServiceAccount -Name BillsCustomTask -DNSHostName BillsCustomTask. example.test - Principals.AllowedToRetrieveManagedPassword "Domain Controllers" Then, you run the PS cmdlet, and you get this error: Key Does Not Exist What should you do to eliminate this error? You must install the KDS Root Key by running the cmdlet Get-KDSRootKey- EffectiveImmediately. {gmsa}. You must install the KDS Root Key by running the cmdt Install-AdServiceAccount {gmsa}. You must create the KDS Root Key by running the cmdlet Add-KDSRootKey- EffectiveImmediately. You must create the KMS Root Key by running the cmdlet Add-KMSRootKey-EffectiveImmediately. You must create the KDS Root Key by running the cmdlet Add-KDSRootKey- EffectiveImmediately. To use a gmsa, you must run the PS cmdlet Add-KDSFlootKey - Effectivelmmdiately in the domain. This key is used by the Key Distribution Service [KDS] on the domain controller to generate passwords. This is only done once in the domain. Add-KMSRootKey -Effectivelmmediately is not a valid PS cmdlet, and KMS is the Key Management Server used to activate volume licensed Microsoft products. Install-AdServiceAccount {gmsa} does not generate a KDS Root key but installs the gmsa on the server on which it will be used. Get-KDSRootKey -Effectivelmmediate y.{gmsa} is not the correct PS cmdlet syntax. SHA unable to contact required services You are an engineer for a company that has an Active Directory Domain Services [AD DS] domain. Your network has Network Access Protection [NAP] deployed on a Microsoft Windows Sewer 2012 server. You are using Windows Security Health Agent [WSHA] to monitor your NAPcompliant client computers. This requires you to have the Security Center Service started. You want to ensure that, if WSHA cannot generate a Statement of Health [SoH] because the Security Center Service is not running, you get an error. You have the Windows Security Health Validator [SHV] properties window open. What Error code resolution should you set to Noncompliant? SHA unable to contact required services SHA not responding to NAP Client SHV unable to contact required services SHV not responding You should set SHA unable to contact required services to Noncompliant. The error SHA unable to contact required services can occur if the Security Health Agent [SHA] is unable to successfully read the client configuration. SHAs monitor on the configuration of the client computer and will submit a new SoH when the configuration has been changed or when the previous SoH has expired. An SHA must be registered with a NAP Agent to for it to work, and it must be initialized to provide an SoH. An SHA will attempt to provide an SoH if there is a corresponding system health validator [SHV] enabled in a health policy on NPS. If an SHA is not able to provide an SoH to the NAP Agent service, the client computer will be in a noncompliant state if that particular SHA is required by Network policy. This can occur with the WSHA, if the Security Center service is not started, or it can occur if an SHA is not properly registered or initialized. You should not set SHV unable to contact required services to Noncompliant. This error can occur if NPS loses network connectivity to a health requirement server that has been set up. You should not set SHA not responding to NAP Client to Noncompliant. This error can occur if an SHA is not properly initialized and registered. You should not set SHV not responding to Noncompliant. This error can occur if the performance of an SHV has been degraded.

2 You are an engineer for a company that has an Active Directory Domain Services [AD DS] domains Your network has Network Access Protection [NAP] deployed on a Microsoft Windows Server 2012 server that is joined to the domain. You would like NAP to use Dynamic Host Configuration Protocol [DHCP] enforcement on the NAP-compatible client computers. Compliant client computers will gain unrestricted access to your network and be assigned an IPv4 address in this range: /16. You must have the Noncompliant client computers assigned a non-routable IPv4 address in this range: /24. When you boot up your noncompliant test machine, you find that it received a DHCP address of /16. Why did the test machine not get a noncompliant DHCP address? You did not authorize the DCHP server in Active Directory [AD]. You did not specify NAP Enforcement Sewers Running DHCP Server. You did not configure a DHCP scope for noncompliant client computers. You did not select DHCP for your Network Connection Method. You did not configure a DHCP scope for noncompliant client computers. The most likely reason is that you did not configure a DHCP scope for noncompliant client computers. Before you start assigning IPv4 addresses to noncompliant client computers in the /24 range, you need to configure a scope for that range. It is unlikely that you did not specify NAP Enforcement Servers Running DHCP Server. You would have had to specify an Enforcement server to get an IPv4 address. It is unlikely that you did not select DHCP for your Network Connection Method. You would have had to configure your Network Connection Method when you set up the Network Policy Server [NPS]. It is unlikely that you did not authorize the DCHP server in the AD. The server would not assign any IPv4 addresses if it had not been authorized in AD. You are the administrator for the Active Directory Domain Services [AD D3] domain corp.net. All domain controllers are running Microsoft Windows Server 2012 and all client computers are running a mix of Windows? and Windows 3. You want to configure the client computers to use microsoft.com as the default home page. You have configured a Group Policy obiect [GPO] with the Preferences settings as shown in the exhibit and linked it to the correct Organizational Unit [DU]. By inspection you discover that the settings do not take effect on the client computers. What should you do? Press F7 to activate the setting in Preferences. Press F6 to activate the setting in Preferences. Press F5 to activate the setting in Preferences. Press F8 to activate the setting in Preferences. Press F6 to activate the setting in Preferences. You should press F6. Notice the red dotted line in the Preference setting. This indicates that the setting is disabled. To enable the setting you must press F6 and the red dotted line will change to a solid green line indicating that the setting is active. You should not press F5. Notice the red dotted line in the Preference setting. This indicates that the setting is disabled. Pressing F5 will enable all settings and not only the setting for the default home page. You should not press F7. Notice the red dotted line in the Preference setting. This indicates that the setting is disabled. Pressing F7 will disable a single setting but, because they are all already disabled, this will not change anything. You should not press F8. Notice the red dotted line in the Preference setting. This indicates that the setting is disabled. Pressing F8 will disable all settings but, because they are all already disabled, this will not change anything. You are the administrator for the Active Directory Domain Services [AD DS] corp.net domain. The domain contains a Domain Controller [DC] named dc1.corp.net and a Domain Name System [DNS] server named dns1.corp.net. You are concerned that computers from visiting consultants could corrupt your DNS with unnecessary records. You need to change settings to only allow domain computers to register in DNS. You need to make the changes using the least amount of administrative effort. What should you do? Install DNS on the DC and configure Secure Only updates. Configure security settings on the DNS server to only allow the domain computers to register. Configure the DNS server to allow for Secure Only updates. Configure the DNS server with scavenging. Install DNS on the DC and configure Secure Only updates. You should install DNS on the domain controller and configure Secure Only updates. The Secure Only updates feature has two functions. First, it ensures that only computers known to the AD DS domain are allowed to register in the DNS zone. Second, it makes sure that only the original registering computer may change a record in the DNS zone. For this to work, the DNS server needs to be configured on a domain controller. You should not configure the DNS server to allow for Secure Only updates. The configuration option Secure Only updates is only available if the DNS server is configured on a domain controller. You should not configure security settings. Security settings on the DNS server are only used to control who can change configurations on the DNS server, not to control which computers can register their records in the DNS zone. You should not configure scavenging. Scavenging is used to remove old records from the DNS zone. If you use dynamic updates to register your computers in the DNS zone, this function can be used to delete records if the computers have not been in contact with the DNS server for a certain period of time. You are the administrator for the Active Directory Domain Services [AD DS] corp.net domain. The domain contains several domain controllers [DCs], all running Microsoft Windows Server You have noticed that one of the DCs has decreased in performance. To correct the problem and regain performance on the DC, you decide to do an offline defragmentation of the Active Directory database on the DC. What should you do? Reboot the DC in Active Directory Restore Mode and use Disk Defragmentation to defragment the database. Stop AD DS and use Disk Defragmentation to defragment the database. Use the metadata cleanup option in Ntdsutil. Use the compact option in Ntdsutil. Use the compact option in Ntdsutil. You should use the compact option in Ntdsutil. In Ntdsutil there is an option in the file section called compact. The compact command is used to compress and defragment the Active Directive database. It does this in a process where it actually creates a new version of the database in another location, after which you copy the new version back and overwrite the old one. Before running the command, you need to stop AD DS. You should not use the metadata cleanup option. The metadata cleanup option in Ntdsutil is used to clean up the database for orphaned objects. If you have deleted a DC by simply removing it physically, the object for that DC will still exist in the database. Using metadata cleanup, you can clean up the database for the no longer existing object. You should not use Disk Defragmentation. Disk Defragmentation is only used to run a defragmentation of files on the disk. It is not able to defragment the Active Directory database. You are the administrator for the Active Directory Domain Services [AD DS] corp.net domain. The domain includes a domain contoller [DC] named DC1.CORP.NET. Currently, DC1.CORP.NET is configured with default settings for database and log file locations. You need to move the log files to E:\Logfiles. Which Ntdsutil command should you use? Holes Local Roles IFM Files Files You should use Files to move the log files to E:\Logfiles. Ntdsutil includes a command named Files that can be used to move the Active Directory database and log files. The command "Move logs to E:\Logfiles" in Files would move the log files of Active Directory to the new location. You need to stop AD DS before attempting the move operation. You should not use Install From Media [IF M] to move the log files to E:\Logfiles. IFM is used in the process of promoting a DC. Normally, you would install a DC and it would begin replication of data from another DC. If you prefer, you can set up a new DC and have it build the Active Directory Database from a backup created on another DC by using the IFM option during the configuration process. You should not use Local Floles to move the log files to E:\Logfiles. Local Roles is used on a Read-Only Domain Controller [RODC] to assign specific local roles to members of the IT staff. Instead of adding a local IT person to the Domain Admins group, you would use Local Roles to assign the desired permissions. You should not use Holes to move the log files to E:\Logfiles. Roles is used to transfer or size the different Flexible Single Master Operation [FSMO] roles in Active Directory.

3 You are the administrator for the Active Directory Domain Services [AD DS] domain corp.net. All domain controllers are running Microsoft Windows Server 2012 and all client computers are running a mix of Windows? and Windows 3. You have employed a new system administrator named John. One of John's responsibilities is to do troubleshooting on all client computers. In order to do troubleshooting, John needs to be a member of the local Administrators group on all client computers. The company security policy states that no system administrator should be a local administrator on client computers that he or she does not manage. You need to assign the proper permissions and uphold the company security policy. What should you do? Add John to the local Administrators security group on all client computers. Have John add himself to the local Administrators security group on the client computer after logon. Add John to the Domain Admins security group. Create a Group Policy Preference that adds the current user to the local Administrators group and have it apply to John. Create a Group Policy Preference that adds the current user to the local Administrators group and have it apply to John. You should create a Group Policy Preference. In Group Policy Preference, you have the option to control members of the local Administrators group. One of the configuration options is to add the current user [the logged on user]. If you apply the Group Policy Preference to John, all client computers John logs on to will add him to the local Administrators security group. You could use Item-level targeting to apply the Group Policy Preference to John. You should not add John to the Domain Admins security group. Although this would make John a member of the local Administrators security group, it would not comply with the company security policy. since John would become a local Administrator on all client computers. You should not add John to the local Administrators security group. This would not comply with the company security policy. You should not have John add himself. In order to add user accounts to the local Administrators group, you need administrative permissions on the local computer. In this case, if John is not already a member of the local Administrators security group, he cannot control the members of it. You are the administrator for the Active Directory Domain Services [AD DS] domain corp.net. All domain controllers are running Microsoft Windows Server 2012 and all client computers are running Windows 8. The Active Directory domain contains two Active Directory Sites named US and EU. You need to copy a special configuration file from a share on one of the file servers to the root of the system drive on the client computers. The configuration file should be copied at first Iogin and only exist on computers in the EU site. You have configured Group Policy Preferences in a Group Policy object [GPO] and linked it to the Domain. You have configured all the General settings. What settings shown in the exhibit should you enable? [Choose all that apply.] Apply once and do not reapply Item-level targeting Remove this item when it is no longer applied Stop processing items in this extension if an error occurs Run in logged-on user's security context [user policy option] Item-level targeting Remove this item when it is no longer applied You should enable the setting Remove this item when it is no longer applied. If a user is moved from the EU site to the US site, the file needs to be removed. This option will make sure that the file is deleted if the Group Policy Obiect no longer applies to the user. You should enable Item-level targeting. You need the group policy to apply to users in the EU site and this task can be accomplished by using Item~level targeting. Item-level targeting is a form of Windows Management Instrumentation [WMI] where the group policy can query the user for the current site and only apply the settings in the EU site. You should not enable the setting Apply once and do not reapply, as the file only needs to be copied once when using this option. If the user accidentally deletes the file, it will not be copied again from the file server. You should not enable the setting Stop processing items in this extension if an error occurs. Although this will do no harm in this case, it will not solve the task. You should not enable the setting Run in logged-on users' security context [user policy option]. There are two security contexts in which Group Policy applies user preferences: the SYSTEM account and the logged-on user. By default, Group Policy processes user preferences using the security context of the SYSTEM account. But sometimes it can be useful to run the processes using the user security; for example, in cases where the system does not have adequate permissions. You are the administrator for the Active Directory Domain Services [AD DS] domain corp.net. All domain controllers are running Microsoft Windows Server 2012 and the client computers are all running Windows 7. The user accounts for local IT support staff members are located in various Organizational Units [OUs] in Active Directory. You need to configure a mapped drive for all the Local IT support staff members using the least amount of administrative effort. All IT support staff members are members of a security group named ITsupport. [The relevant portion of group policies is shown in the exhibit]. What should you do? Create a Group Policy object [GPO] in the Group Policy Obiects container. Configure Preferences to create a mapped drive and link the GPO to the HR, IT, and Sales OUs. Configure a Group Policy object [GPO] linked to the domain. In the GPO configure Preferences to create a mapped drive using Item-level targeting for the ITsupport security group. Configure a Group Policy object [GPO] linked to the domain. In the GPO configure a logon script to create the mapped drive and finally create a Windows Management Instrumentation N/Ml] script to only target members of the ITsupport security group. Configure a Group Policy obiect [GPO] in the Group Policy Obiects container. Configure a logon script to create the mapped drive and link the GPO to all OUs containing IT support staff members. Configure a Group Policy object [GPO] linked to the domain. In the GPO configure Preferences to create a mapped drive using Item-level targeting for the ITsupport security group. You should configure Preferences with Item-level targeting. Although you can create a script to deploy the mapped drive, Windows 2012 and Windows 7 support the use of Preferences where the function to map a drive is built in. Because the members of the IT support staff are distributed in the Active Directory, you should use Item-level targeting to only target the members of the ltsupport security group. You should not create a script and use a Wt-all filter. Although this would be possible, it is not the easiest way to accomplish the task. As noted, Windows 2012 and Windows 7' support the use of Preferences where the function to map a drive is built in. You should not create a script and link the GPO to all OUs. Linking the GPO to all OUs without any form of filter would cause the GPO to create the mapped drive for all users in all OUs. You should not use Preferences and link the GPO to the HR, IT, and Sales OUs. Although Preferences would be the correct way to deploy the mapped drive, creating it without using Item-level targeting would force the GPO to create the mapped drive for all users and not only members of the ltsupport security group. You are the administrator for the Active Directory Domain Services [AD DS] domain corp.net. All domain controllers are running Microsoft Windows Server You need to create a backup of all Group Policy obiects [GPOs] in the Active Directory domain. What tools can you use? [Choose all that apply.] The Group Policy Management Console Windows Servert Backup Gpedit.msc Ntdsutil The PowerShel cmdlet Backup-GPO The Group Policy Management Console The PowerShel cmdlet Backup-GPO You should use the Group Policy Management Console [GPMC]. The GPMC is the primary tool for creating and managing GPOs. The Group Policy Obiects container in the GPMC contains all GPOs for the Active Directory domain and can be used to back up all or individual GPOs. You could also use Backup-GPO. Backup-GPO is a PowerShell cmdlet used to create backups of GPOs. It can be used to back up a single GPO or, using the -All switch, create a backup of all GPOs. You should not use Windows Server Backup. Although Windows Server Backup can create a backup of Active Directory using the systemstate backup function, it does not have a specific option to create backups of GPOs. You should not use ntdsutil. Ntdsutil is a command line tool used to perform maintenance of the Active Directory database. It does not have a specific option to back up or restore GPOs. You should not use gpedit.msc. Gpeditmsc is a tool used to configure the local group policies for a single computer. It does not include any options to back up GPOs stored in Active Directory. You are the administrator for the Active Directory Domain Services [AD DS] domain corp.net. All servers are running Microsoft Windows Server 2012 and all client computers are running Windows XP SP1. You have configured 30 file servers with a locally attached scanner. The software for the scanner needs a special configuration set for registry keys only found on each file server. You decide to configure the registry keys through Group Policy Preferences. From your client computer, you configure a Group Policy object and link it to the Organizational Unit [DU] containing the file servers. What should you do next? Run the New Registry Item with the Create action to configure the key. Run the New Collection Item with the Create action to configure the key. Run the New Registry Item with the Update action to configure the key. Run the New Registry Wizard to configure the key. Run the New Registry Wizard to configure the key. You should use the Registry Wizard. When creating new registry settings using Group Policy Preferences, the normal process is that the keys are derived from the local machine. Only the Registry Wizard can collect registry key configurations from other machines. Since the keys are only found on the file servers, this is the only option. You should not run the New Registry Item with the Update action. The New Registry Item function will only collect keys from the local machine and not the keys found on a file server. You should not run the New Collection Item with the Create action. The Collection Item function is just a collection of registry keys and as such cannot be used to configure any settings directly. You should not run the New Registry Item with the Create action. The New Registry Item function will only collect keys from the local machine and not the keys found on a file server. Whether you use the Update or Create action in this case does not matter.

4 You are the administrator for the Active Directory Domain Services [AD DS] domain corp.net. The domain is configured as a single domain forest. All domain controllers are running Microsoft Windows Sewer 2012 and all client computers are running Windows XP SP2. You have been assigned the task of moving a large number of user accounts from the New York HR Organizational Unit [OU] to the New York Sales OU. You need to determine the group policy settings that will affect the users after the move operation. The relevant configurations in Group Policy Management Console are shown in the exhibit. What should you do? Run Group Policy Results. On the domain controller, run rsop.msc. On the domain controller, run gpresult. Run Group Policy Modeling. Run Group Policy Modeling. You should run Group Policy Modeling. Group Policy Modeling is a feature in the Group Policy Management Console [GPMC] that you can use to run a modeling of what would happen if you move users or computers from one location in the Active Directory domain to another. Group Policy Modeling does not move any objects, it only generates a report. You should not run Group Policy Results. Group Policy Results is a feature in the GPMC that allows you to remotely generate a report of all the group policy settings applied to a user or computer at last logon. You should not run gpresult. Gpresult is a tool to determine the effective group policy settings that were applied the last time a user logged on or a computer booted up. The tool is run locally and only shows the group policy settings that are already in effect. You should not run rsop.msc. Rsop.msc is a graphical version of gpresult, and just like gpresult, it can only be used to create a report of what group policy settings are in effect, not what will happen if you move a user or computer object in Active Directory. You are the administrator for the Active Directory Domain Services [AD DS] domain named corp.net. All domain controllers are running Microsoft Windows Server 2012 and all client computers are running Windows?. You need to reset the Default Domain group policy settings. What tool should you use? Gpedit.msc Gpupdate Dcgpofix Gpfixup Gpresult Dcgpofix You should use dcgpofix. Dcgpofix can be used to restore the two default group policies. If you run dcgpofix /ignoreschema /target:domain you will restore the default domain policy. If you run dcgpofi:-r iignoreschema.-'target:dc you will restore the default domain controller policy. You should not use gplirvrup. Gpfir-rup is used to fix group policy dependencies after a domain rename operation has been performed. You should not use gpresult. Gpresult is used to assess the resultant set of policies applied to a computer or user in any case where multiple policies apply to the same computer or user. You should not use gpedit.msc. l3pedit.msc is a tool used to configure the local group policies set on a user or computer. You should not use gpupdate. Gpupdate is used to update the group policy settings applied to a user or computer. Flun it with the./force switch and you can force an update of settings even if they have not been changed on the domain controller. Link the Desktop Settings GPO to the New Yolk Sales DU You are the administrator for the Active Directory Domain Services corp.net domain. A Group Policy object [GPO] for the domain has been configured as shown in the exhibit. Users in the New York Sales Organizational Unit [DU] report that they are not receiving the same settings for the desktop as their colleagues in the other sales locations. You need to solve the problem using the least amount of administrative effort and without applying excessive policy settings to the New York Sales DU. What should you do? Create a new GPO for the New York Sales OU and configure the desktop settings. Force a Group Policy update on the New York Sales OU. Link the Desktop Settings GPO to the New Yolk Sales DU. Remove the Block Inheritance from the New York Sales OU. You should link the GPO. The New York Sales OU has block inheritance enabled. This has the effect that only GPOs directly linked to the OU or GPOs with Enforced configured will be applied on the users and computers in the New York Sales OU. You should not remove Block Inheritance. If you remove Block Inheritance, you allow all GPOs higher up in the domain structure to be applied to users and computers in the New York Sales OU. In this case, the BitLocker GPO will also be applied. You should not create a new GPO. Although this would work, the effort required to create and maintain the new GPO is higher than simply linking the existing GPO. Linking GPOs is not always the best solution, especially in situations where you have slow network connections. You should not force an update. Forcing an update of GPOs forces the users and computers to ignore version numbers on the GPOs. This process is used if there are some configurations that have not applied to users or computers. However, in this case, there is a Block Inheritance on the OU. Forcing an update will have no effect. You are the administrator for the Active Directory Domain Services corp.net domain. All domain controllers in the domain are running Microsoft Windows Server You are in the process of configuring a Password Settings Obiect [PSO] in ADSI Edit as shown in the exhibit. You need the PSO to apply to a security group named SalesManagers that is located in the Sales Organizational Unit [OU]. What should you enter as DN in the exhibit? dc=net,dc=corp,ou=sales,cn=salesmanagers dn=salesmanagers,ou=sales,dc=corp.dc=net cn=salesmanagers,cn=sales,dc=corp,dc=net cn=salesmanageis,ou=sales,dc=corp,dc=net cn=salesmanageis,ou=sales,dc=corp,dc=net You should enter cn=salesmanagers,ou=sales,dc=corp,dc=net. Distinguished Name [DN] is the full name of an object located in Active Directory. The name is put together of three elements: dc=domain component, ou=organizational unit, and cn=canonical name. Simply put, you use do when it is part of the domain name, ou when it is the name of an DU, and on for all other entries. The name is written from bottom to top. ending with the domain name. You should not enter dc=net,dc=corp,ou=sales,cn=salesmanagers. This places the components in the wrong order. You should not enter cn=salesmanagers,cn=sales,dc=corp,dc=net. You should use ou, not on, for the sales parameter. You should not enter dn=salesmanagers,ou=sales,dc=corp.dc=net. DH is the full name of an object located in Active Directory, not one of thee components of the name. You are the administrator for the Active Directory Domain Services corp.net domain. Domain Controller [DC] configuration and domain password settings are shown in the exhibit. You discover that members of the research department are reusing their old passwords when they are required to change them. You do not want to make any changes to other users' password requirements, but you to want to ensure that research users cannot reuse their old passwords. You need to make the changes using the least administrative effort. What should you do? Create a new Password Settings Object [PSO] in the corp.net domain and apply it to the research users. Create a new Organizational Unit [DU] for the research users. Create a new Group Policy object [GPO] with the password requirements for the research users and link it to the OU. Configure all DCs as global catalog servers. Create a new Password Settings Obiect [PSO] in the corp.net domain and apply it to the research users. Create a child domain in corp.net, assign new password settings for the domain. and move all research users to that domain. Create a child domain in corp.net, assign new password settings for the domain. and move all research users to that domain. You should create a child domain. Password settings are normally only set in the Default Domain Policy GPO. With the arrival of Microsoft Windows Server 2008, administrators had the ability to create PSO objects to make different password settings for the user in the domain. However, to create PSO objects, you need all DCs to be running at least Microsoft Windows Server If not. the only option for different password settings is to create multiple domains, each with its own password settings. You should not create a new PS0 obiect. The creation of PS0 objects requires that all domain controllers are running at least Microsoft Windows Server With DC4 still running Microsoft Windows 2000 Server, the only thing you can do is create a new domain for the research users. You should not create a new OU. Although it is possible to configure password settings in any GPO, the only place where domain password settings can be changed is in a GPO linked to the domain. If you link it to an 0U, the settings only affect locally created user accounts on those computers to which the GPO applies. You should not configure global catalog servers. Global catalog is an option that you can choose to enable on DCs. The main function of the global catalog is to respond to queries across domains in your forest. lt is also responsible for maintaining the Universal group membership list.

5 Create a Shadow Group. You are the administrator for the Active Directory Domain Services corp.net domain. The domain consists of domain controllers all running Microsoft Windows Sewer You need to create a set of special password policies for the users located in an Organizational Unit [DU] named Research. You need the password settings to take effect on all user accounts moved to the Research DU. What should you do? Create a Password Settings Obiect [PSO] and apply it to the Research OU. Create a security group for all the users in the Research OU and apply a PSO to it. Create a Shadow Group. Create a Group Policy obiect [GPO] with the password settings and link it to the Research OU. You should create a Shadow Group. A Shadow Group is not a group that you create in Active Directory. A Shadow Group is more of a concept. First, create a security group. Then, create a PS0 that applies to the security group. At the end, create a scheduled script that adds all members of the OU to the security group. You should not apply a PS0 to the Research OU. You can only apply a PS0 to a security group or an individual user account, not to an OU. You should not create a GPO. You can only specify the domain password setting in a GPO and this can only be linked to the root of the domain. Although you can specify password settings in other GPOS, these settings will only affect local user accounts on computers to which the GPO applies and not the domain user accounts. You should not create a security group. Although this is part of the solution, only creating the security group will not make all user accounts in the Research OU members of the security group. You also need to create a scheduled script that adds all user accounts in the OU to the security group. By adding all user accounts in the OU to the security group, you create a Shadow Group. You are the administrator for the Active Directory Domain Services corp.net domain. The domain consists of domain controllers running Microsoft Windows Server 2012 and client computers running Windows?. You are configuring a Group Policy object [GPO] to deploy Adobe Reader to all users in the domain at first logon. You have created the GPO as shown in the exhibit. You need to configure the installation to run without any user interaction. What should you do? Enable the option Do not display this package in the Add/Remove Program control panel. Change the Deployment type to Published. Change the Installation user interface options to Basic. Enable the option Uninstall this application when it falls out of the scope of management. Change the Installation user interface options to Basic. You should change the Installation user interface options to Basic. This setting determines how much input the user is required to give. If you change it to Basic, all options during the installation that already have a default setting will assume that default setting is the correct one and not prompt the user. You should not change the Deployment type. Published applications will not be installed at logon. They will appear in the Add/Remove section in the Control Panel and the user can choose to install it from there. You should not enable the Uninstall option. This option is used to control whether an application should be uninstalled if the user or computer is moved to a location in Active Directory where it is no longer managed by the GPO that distributed the application. You should not enable the Do not display option. By enabling this option, you would remove the users' ability to install the application from the Control Panel. You are the administrator for the Active Directory Domain Services corp.net domain. The domain contains a Domain Name System [DNS] server running Microsoft Windows Server You need to configure a new host record on the DNS server. which tool should you use? Dnscmd Ipconfig NSLookup DNSLint Dnscmd You should use Dnscmd, which is the command-line tool for the DNS server. It can be used to configure many aspects of the DNS server, including creating new records. The command Dnscmd /recordadd corp.net server1 a would add the Host [A] record server1.corp.net with the IP address to the DNS server. You should not use DNSLint. DNSLint is a tool to create reports and run diagnostics on a DNS server. You should not use lpconfig. Although lpconfig has some command switches related to DNS, it cannot be used to configure any settings on the DNS server. The tool can only be used as a client computer tool. You should not use NSLookup. NSLookup is a tool used to query a DNS server for records. It could be used to query a DNS server for mail server records or service records. The tool cannot be used to do any form of configuration on a DNS server. You are the administrator for the Active Directory Domain Services corp.net domain. The domain contains a main office and five branch offices. In the main office you have deployed two domain controllers [DCs] and in each of the branch offices you have deployed one Read Only Domain Controller [RUDE]. You need to configure each of the branch offices so that the RUDE in the branch office is caching membership of Universal groups. Which tool should you use? Active Directory Administrative Center Active Directory Sites and Services Active Directory Users and Computers Active Directory Domains and Trusts Active Directory Sites and Services You should use Active Directory Sites and Services. The caching of Universal group membership is enabled on each site. To enable it, you need to go into Active Directory Sites and Services and enable it under properties for NTDS site settings. You should not use Active Directory Users and Computers. You use Active Directory Users and Computers to configure settings for objects such as users, computers, and groups. The caching of Universal group membership is a function that is enabled for the entire site. Therefore, you need to use Active Directory Sites and Services. You should not use Active Directory Domains and Trusts. You use Active Directory Domains and Trusts to configure trust relationships between Domains and other Forests. You should not use Active Directory Administrative Center. Active Directory Administrative Center is a Powershellbased GUI interface to administer Active Directory. In Windows Server 2012, Microsoft has added new features such as Password Settings Objects and the Active Directory Recycle Bin. Decrease the Time To Live [TTL] on the web servers' records. You are the administrator for the Active Directory Domain Services corp.net domain. The domain contains a web server farm of ten web sewers. All the web servers are configured in the Domain Name System [DNS] server with the name web.corp.net. At times, you discover that if you need to make changes to the web servers, some users have problems connecting to the web servers if the web server that you are making changes to is offline. You need to make sure that if you take one web server offline, another can respond to the user without too much down time. What should you do? Increase the Time To Live [TTL] on the web servers' records. Decrease the Time To Live [TTL] on the web servers' records. Decrease the Time To Live [TTL] on the Start of Authority [SOA] record. Configure each web server with its own name instead of web.corp.net. You should decrease the TTL for the web servers' records. The problem in this case is that, whenever a user queries the DNS server for the name web.corp.net, the DNS server returns an IP address for the server next in line to respond. However, if the IP address is already in the DNS cache on the client computer, the computer does not try to query the DNS server and uses the local cache instead. By decreasing the TTL for the records, you can force the client computers to not use the local cache for too long. This allows for querying the DNS sewer more often. You should not increase the TTL. Increasing the TTL on the web server records results in the IP address for the web server being cached for a longer period of time on the client computer. This does not help you with the problem. You need to have the records cached for a shorter period of time. You should not configure the web servers with their own names. The servers are configured with the same name, web.corp.net, which enables round robin on the DNS server. This makes it easier for the users to access the servers. Changing the names does not change the period of time that an individual server's IP address is cached on the client computers. You should not decrease the TTL on the SBA record. The SOA record is the record that holds configuration information for a given zone in the DNS. Changing the TTL for this record only influences how long this record is cached on computers and not the records for the web servers.

6 You are the administrator for the Active Directory Domain Services corp.net domain. The domain contains an Organizational Unit [DU] names Sales. Currently, there are two Group Policy objects [GPO] linked to the DU. You need to change the precedence order of the two GPOs. What should you do? Use the command Gpedit.msc. Use the command Gpresult. Use the PowerShe l cmdlet Set-GPInheritance. Use the PowerShell cmdlet Set-GPLink. Use the PowerShell cmdlet Set-GPLink. You should use the PowerShell cmdlet Set-GPLink. GPOs can be linked to an OU or inherited from higher up in the domain structure. Inherited GPOs follow this precedence order: Site then Domain then OU. In case of a conflict in settings, the last set GPO wins. If you link GPOs, you can change the order in which they apply. You can use the Group Policy Management console or the PowerShell cmdlet Set-GPLink. You should not use Set-GPInheritance. This cmdlet is used to control whether or not inheritance of GPO settings are enabled on a domain or DU. If you use the command to block inheritance on an DU, only GPOs higher up in the domain structure with the option Enforced set will be applied to the DU. You should not use Gpresult. Gpresult is a diagnostic command to determine the Resultant Set of Policies [RSOPs] applied to a user or computer. You can also use the command RSOP.msc to perform this task. You should not use Gpeditmsc. Gpeditmsc is used to configure the local GPO settings on a computer. You are the administrator for the Active Directory Domain Services corp.net domain. The domain contains domain controllers [DCs] running Microsoft Windows Server 2012 and client computers running Windows? and 3. The domain is distributed among one main office and three branch offices as shown in the exhibit [communication links are measured in kilobits per second [Kps]]. All DCs are located in the main office. You configure a Group Policy obiect [GPU] and link it to the root of the domain. The GPO is configured to install a preparatory application to all computers in the domain. You discover that some users do not receive the application. What should you do? On the affected computers, run gpupdate /force. On the Organizational Units [OUS] containing the affected computers, run Group Policy Update. Configure slow link detection. Run the command Invoke-GPUpdate. Configure slow link detection. You should configure slow link detection. By default, slow link detection is configured to 500 Kps so any application configured to be deployed through group policies will only be applied if the connected speed is higher than 500 Kps. The link speed in branch offices 2 and 3 is below 500 Kps. So, in order for the application to be deployed, you need to change the slow link detection to 250 Kps or lower. You should not run gpupdate /force. The command gpupdate /force will force the affected computer to apply all group policies, even if they have not been changed. In this case. the speed of the link is the problem so running the command will have no effect. You should not run Group Policy Update. The option to run Group Policy Update from the Group Policy Management Console is a new function in Windows Server 2012, but in this case, the problem is the link speed to the branch offices, so updating the group policies will have no effect. You should not run Invoke-GPUpdate. The option to invoke an update of group policies on all computers in the domain remotely is a new function in Windows Server But in this case, the problem is the link speed to the branch offices, so updating the group policies will have no effect. You are the administrator for the Active Directory Domain Services corp.net domain. The domain contains domain controllers running Microsoft Windows Server 2012 and client computers running Windows 3. You have deployed Microsoft Office 2010 using a Group Policy object [GPO] linked to the root of the domain. After a few days, you discover that when domain users save documents in Word 2010 using the default save location, the documents are not saved on the users' home drive but on the local computer. You need to change the setting on all client computers using the least amount of administrative effort. What should you do? Create an answer file for the Office 2010 installation including the correct file location and redeploy the Office 2010 installation using a GPO linked to the root of the domain. Add the ADMX files for Office 2010 to the Group Policy Management Console and change the file location settings in a GPO linked to the root of the domain. Configure a GPO with folder redirection for the Documents folder and link it to the root of the domain. Reconfigure all computers manually to save documents in the correct location. Add the ADMX files for Office 2010 to the Group Policy Management Console and change the file location settings in a GPO linked to the root of the domain. You should use the ADMX files. You can download ADMX files from the Microsoft website and add them to the administrative section of group policies. Doing this will add the option to change almost all of the settings in the different products of the Office package. You should not configure folder redirection. Although configuring folder redirection for the Documents folders would redirect all documents stored in Word 2010, it would also redirect all other files stored in the Documents folder on each user's computer. You should not create an answer file. Using an answer file for an Office installation is only an option during the installation. After the installation, you should use ADMX files in group policies to change settings in the Office installation. You should not reconfigure all computers manually. Although it is possible to change the setting by doing it manually, it would simply take too much time. You are the administrator for the Active Directory Domain Services corp.net domain. The domain contains domain controllers running Microsoft Windows Server 2012 and client computers running Windows 8. You need to configure the computers belonging to members of the Sales security group to store all documents in the Documents folder on a file sewer in the domain. The members of the Sales security group are located in different Organizational Units [OUs] in the domain. Your solution should only store files from the Documents folder on the file server. What should you do? Create a Group Policy object [GPO], link it to the domain, and configure Basic folder redirection. In Active Directory Users and Computers, configure each member of the Sales security group with a roaming profile. Create a Group Policy object [GPO], link it to the OUs that contain members of the Sales security group, and configure Basic folder redirection. Create a Group Policy object [GPO], link it to the domain, and configure Advanced folder redirection. Create a Group Policy object [GPO], link it to the domain, and configure Advanced folder redirection. You should configure Advanced folder redirection. Folder redirection can be configured for a number of different folders including the Documents folder. It has two main settings: Basic and Advanced. Basic settings will redirect all users' documents if the GPO applies to them. Advanced will redirect all users' documents if the GPO applies to them, but on a security group membership basis. You should not configure Basic folder redirection. Basic folder redirection configured in a GPO linked to the domain will redirect all users' documents to the file server, not only those belonging to members of the Sales security group. You should not configure roaming profiles. Although a roaming profile would include the Documents folder and its content, it would also redirect all other aspects of the user's profile, such as settings on the desktop and the Start menu. You should not link a GPO to all OUs that contain members of the Sales security group and configure Basic folder redirection. Configuring Basic folder redirection in a GPO linked to an OU will redirect all users' documents in that OU to the file server and not only those belonging to members of the Sales security group. You are the administrator for the Active Directory Domain Services corp.net domain. The domain contains five Domain Name System [DNS] servers, all configured to run on Microsoft Windows Server 2012 domain controllers. By inspection, you notice that the corp.net zone on the DNS server contains many old records from computers that are no longer part of the domain You need to delete the old records using the least administrative effort. What should you do? Decrease the TTL on the DNS servers. Decrease the Minimum [default] TTL. Configure scavenging on the DNS servers. In the SOA record, configure Expires after one day. Configure scavenging on the DNS servers. You should configure scavenging. Scavenging is the process of cleaning up old records that have been added dynamically to the DNS server. When you configure scavenging, you configure a no-refresh interval. A norefresh interval occurs when the DNS does not change anything regarding the record. The refresh interval is the interval in which the DNS server renews the registration of a record. Put the two numbers together and you get the amount of time before a record is deleted from the DNS server if there has been no further contact. You should not decrease the TTL. Time To Live [TTL] is a configuration that determines how long a record is cached in the local cache on the client computers. This setting has nothing to do with how long a record exists on the DNS server. You should not decrease the Minimum [default] TTL. This setting determines the default Time To Live that new records on the DNS server should have. This setting only affects the amount of time a record is cached in the local cache on client computers. You should not configure Expires after in the SOA record. This configuration is only used to control how DNS servers holding secondary zones should behave when they try to initiate a zone transfer from a primary DNS server.