Microsoft 70 412

s@lm@n
Microsoft
Exam 70-412
Configuring Advanced Windows Server 2012 R2 Services
Version: 31.0
[ Total Questions: 424 ]

Microsoft 70-412 : Practice Test
Topic break down
Topic No. of Questions

Topic 1: Volume A 60
Topic 2: Volume B 60
Topic 3: Volume C 156
Topic 4: Volume D 148
A Composite Solution With Just One Click - Certification Guaranteed 2

Topic 1, Volume A
Question No : 1 - (Topic 1)
Your network contains an Active Directory forest named contoso.com.
Users frequently access the website of an external partner company. The URL of the
website is http://partners.adatum.com.
The partner company informs you that it will perform maintenance on its Web server and
that the IP addresses of the Web server will change.
After the change is complete, the users on your internal network report that they fail to
access the website. However, some users who work from home report that they can
access the website.
You need to ensure that your DNS servers can resolve partners.adatum.com to the correct
IP address immediately.
What should you do?
A. Run dnscmd and specify the CacheLockingPercent parameter.

B. Run Set-DnsServerGlobalQueryBlockList.
C. Run ipconfig and specify the Renew parameter.
D. Run Set-DnsServerCache.
Answer: D
Explanation:
The Set-DnsServerCache cmdlet modifies cache settings for a Domain Name System
(DNS) server.
Run Set-DnsServerCache with the -LockingPercent switch.
/ -LockingPercent<UInt32>
Specifies a percentage of the original Time to Live (TTL) value that caching can consume.
Cache locking is configured as a percent value. For example, if the cache locking value is
set to 50, the DNS server does not overwrite a cached entry for half of the duration of the
TTL. By default, the cache locking percent value is 100. This value means that the DNS
server will not overwrite cached entries for the entire duration of the TTL.

Note. A better way would be clear the DNS cache on the DNS server with either Dnscmd
/ClearCache (from command prompt), or Clear-DnsServerCache (from Windows
PowerShell).
Reference: Set-DnsServerCache
http://technet.microsoft.com/en-us/library/jj649852.aspx
Incorrect:
Not A. You need to use the /config parameter as well:
You can change this value if you like by using the dnscmd command:
dnscmd /Config /CacheLockingPercent<percent>
You have a server named Server1 that runs Windows Server 2012 R2. The storage on
Server1 is configured as shown in the following table.
You plan to implement Data Deduplication on Server1.
You need to identify on which drives you can enable Data Deduplication.
Which three drives should you identify? (Each correct answer presents part of the solution.
Choose three.)

A. C
B. D
C. E
D. F
E. G
Answer: B,D,E
Explanation:
Volumes that are candidates for deduplication must conform to the following requirements:
* Must not be a system or boot volume. (not A)
* Can be partitioned as a master boot record (MBR) or a GUID Partition Table (GPT), and
must be formatted using the NTFS file system. (not C)
* Can reside on shared storage, such as storage that uses a Fibre Channel or an SAS
array, or when an iSCSI SAN and Windows Failover Clustering is fully supported.
* Do not rely on Cluster Shared Volumes (CSVs). You can access data if a deduplication-
enabled volume is converted to a CSV, but you cannot continue to process files for
deduplication.
* Do not rely on the Microsoft Resilient File System (ReFS).
* Must be exposed to the operating system as non-removable drives. Remotely-mapped
drives are not supported.
Ref: Plan to Deploy Data Deduplication

http://technet.microsoft.com/en-us/library/hh831700.aspx
Question No : 3 DRAG DROP - (Topic 1)
Your network contains an Active Directory domain named contoso.com. The domain
contains a file server named Server1. All servers run Windows Server 2012 R2.
All domain user accounts have the Division attribute automatically populated as part of the
user provisioning process. The Support for Dynamic Access Control and Kerberos
armoring policy is enabled for the domain.
You need to control access to the file shares on Server1 based on the values in the
Division attribute and the Division resource property.

Which three actions should you perform in sequence?
Answer:
Explanation:
* First create a claim type for the property, then create a reference resource property that

points back to the claim. Finally set the classification value on the folder.
* Configure the components and policy

1. Create claim types
2. Create resource properties
Deploy the central access policy

3. Assign the CAP to the appropriate shared folders on the file server.
contains a member server named Server1 that has the Active Directory Federation
Services server role installed. All servers run Windows Server 2012.
You complete the Active Directory Federation Services Configuration Wizard on Server1.
You need to ensure that client devices on the internal network can use Workplace Join.
Which two actions should you perform on Server1? (Each correct answer presents part of
the solution. Choose two.)
A. Run Enable-AdfsDeviceRegistration -PrepareActiveDirectory.

B. Edit the multi-factor authentication global authentication policy settings.
C. Run Enable-AdfsDeviceRegistration.
D. Run Set-AdfsProxyProperties HttpPort 80.
E. Edit the primary authentication global authentication policy settings.
Answer: C,E
Explanation:
C. To enable Device Registration Service

On your federation server, open a Windows PowerShell command window and type:
Enable-AdfsDeviceRegistration
Repeat this step on each federation farm node in your AD FS farm.
E. Enable seamless second factor authentication

Seamless second factor authentication is an enhancement in AD FS that provides an

added level of access protection to corporate resources and applications from external
devices that are trying to access them. When a personal device is Workplace Joined, it
becomes a ‘known’ device and administrators can use this information to drive conditional
access and gate access to resources.
To enable seamless second factor authentication, persistent single sign-on (SSO) and
conditional access for Workplace Joined devices.
In the AD FS Management console, navigate to Authentication Policies. Select Edit Global
Primary Authentication. Select the check box next to Enable Device Authentication, and
then click OK.
Reference: Configure a federation server with Device Registration Service.
You have a server named Server1 that runs Windows Server 2012 R2.
From Server Manager, you install the Active Directory Certificate Services server role on
Server1.
A domain administrator named Admin1 logs on to Server1.
When Admin1 runs the Certification Authority console, Admin1 receives the following error
message.

You need to ensure that when Admin1 opens the Certification Authority console on
Server1, the error message does not appear.
What should you do?
A. Install the Active Directory Certificate Services (AD CS) tools.

B. Run the regsvr32.exe command.
C. Modify the PATH system variable.
D. Configure the Active Directory Certificate Services server role from Server Manager.
Answer: D
Explanation:
The error message is related to missing role configuration.
* Cannot Manage Active Directory Certificate Services

Resolution: configure the two Certification Authority and Certification Authority Web
Enrollment Roles:
image
Reference: Cannot manage Active Directory Certificate Services in Server 2012 Error
0x800070002

Your network contains an Active Directory domain named contoso.com. All servers run
Windows Server 2012 R2.
You are creating a central access rule named TestFinance that will be used to audit
members of the Authenticated Users group for access failure to shared folders in the
finance department.
You need to ensure that access requests are unaffected when the rule is published.
What should you do?
A. Add a User condition to the current permissions entry for the Authenticated Users
principal.
B. Set the Permissions to Use the following permissions as proposed permissions.
C. Add a Resource condition to the current permissions entry for the Authenticated Users
principal.
D. Set the Permissions to Use following permissions as current permissions.
Answer: B
Explanation:
Proposed permissions enable an administrator to more accurately model the impact of

potential changes to access control settings without actually changing them.
Reference: Access Control and Authorization Overview
contains two member servers named Server1 and Server2. All servers run Windows Server
2012 R2.
Server1 and Server2 have the Failover Clustering feature installed. The servers are
configured as nodes in a failover cluster named Cluster1. Cluster1 contains a cluster disk
resource.

A developer creates an application named App1. App1 is NOT a cluster-aware application.
App1 runs as a service. App1 stores date on the cluster disk resource.
You need to ensure that App1 runs in Cluster1. The solution must minimize development
effort.
Which cmdlet should you run?
A. Add-ClusterGenericServiceRole
B. Add-ClusterGenericApplicationRole
C. Add-ClusterScaleOutFileServerRole
D. Add-ClusterServerRole
Answer: B
Explanation:
Add-ClusterGenericApplicationRole
Configure high availability for an application that was not originally designed to run in a
failover cluster.
If you run an application as a Generic Application, the cluster software will start the
application, then periodically query the operating system to see whether the application
appears to be running. If so, it is presumed to be online, and will not be restarted or failed
over.
EXAMPLE 1.
Command Prompt: C:\PS>
Add-ClusterGenericApplicationRole -CommandLine NewApplication.exe
Name OwnerNode State

---- --------- -----
cluster1GenApp node2 Online
Description
-----------
This command configures NewApplication.exe as a generic clustered application. A default
name will be used for client access and this application requires no storage.
Reference: Add-ClusterGenericApplicationRole
http://technet.microsoft.com/en-us/library/ee460976.aspx

Question No : 8 HOTSPOT - (Topic 1)
contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the
Active Directory Certificate Services server role installed and configured.
For all users, you are deploying smart cards for logon. You are using an enrollment agent
to enroll the smart card certificates for the users.
You need to configure the Contoso Smartcard Logon certificate template to support the use
of the enrollment agent.
Which setting should you modify? To answer, select the appropriate setting in the answer
area.

Answer:

Explanation:

/ In application policy drop-down list select Certificate Request Agent.

/ The Issuance Requirements Tab
* Application policy. This option specifies the application policy that must be included in the
signing certificate used to sign the certificate request. It is enabled when Policy type
required in signature is set to either Application policy or Both application and issuance
policy.

contains two servers named Server1 and Server2. All servers run Windows Server 2012
R2.
You install the DHCP Server server role on both servers.
On Server1, you have the DHCP scope configured as shown in the exhibit. (Click the
Exhibit button.)

You need to configure the scope to be load-balanced across Server1 and Server2.
What Windows PowerShell cmdlet should you run on Server1?
To answer, select the appropriate options in the answer area.
Answer:
Explanation:
Explanation/Reference:
* Add-DhcpServerv4Failover
The Add-DhcpServerv4Failover cmdlet adds a new IPv4 failover relationship to a Dynamic
Host Configuration Protocol (DHCP) server service.
/ -PartnerServer<String>
Specifies the IPv4 address, or host name, of the partner DHCP server service with which
the failover relationship is created.

/ -ScopeId<IPAddress[]>
Specifies the scope identifiers, in IPv4 address format, which are to be added to the
failover relationship.
* Example:
C:\Users\Chaudhry\Desktop\1.jpg

Your network contains two servers named Server1 and Server2 that run Windows Server
2012 R2.
Both servers have the Hyper-V server role installed. Server1 and Server2 are located in
different offices. The offices connect to each other by using a high-latency WAN link.
Server2 hosts a virtual machine named VM1.
You need to ensure that you can start VM1 on Server1 if Server2 fails. The solution must
minimize hardware costs.
What should you do?
A. On Server1, install the Multipath I/O (MPIO) feature. Modify the storage location of the
VHDs for VM1.
B. From the Hyper-V Settings of Server2, modify the Replication Configuration settings.
Enable replication for VM1.
C. On Server2, install the Multipath I/O (MPIO) feature. Modify the storage location of the
VHDs for VM1.
D. From the Hyper-V Settings of Server1, modify the Replication Configuration settings.
Enable replication for VM1.
Answer: D
Explanation:
You first have to enable replication on the Replica server--Server1--by going to the server
and modifying the "Replication Configuration" settings under Hyper-V settings. You then go
to VM1--which presides on Server2-- and run the "Enable Replication" wizard on VM1.

Your network contains a perimeter network and an internal network. The internal network
contains an Active Directory Federation Services (AD FS) 2.1 infrastructure. The
infrastructure uses Active Directory as the attribute store.
You plan to deploy a federation server proxy to a server named Server2 in the perimeter
network.
You need to identify which value must be included in the certificate that is deployed to
Server2.
What should you identify?
A. The FQDN of the AD FS server

B. The name of the Federation Service
C. The name of the Active Directory domain

D. The public IP address of Server2
Answer: A
Explanation:
To add a host (A) record to corporate DNS for a federation server

On a DNS server for the corporate network, open the DNS snap-in.
1. In the console tree, right-click the applicable forward lookup zone, and then click New
Host (A).
2. In Name, type only the computer name of the federation server or federation server
cluster (for example, type fs for the fully qualified domain name (FQDN) fs.adatum.com).
3. In IP address, type the IP address for the federation server or federation server cluster
(for example, 192.168.1.4).
4. Click Add Host.
Reference: Add a host (A) record to corporate DNS for a federation server
http://technet.microsoft.com/en-us/library/cc776786(v=ws.10).aspx
You have a server named LON-DC1 that runs Windows Server 2012 R2. An iSCSI virtual
disk named VirtualiSCSI1.vhd exists on LON-DC1 as shown in the exhibit. (Click the
Exhibit button.)

You create a new iSCSI virtual disk named VirtualiSCSI2.vhd by using the existing itgt
iSCSI target.
VirtualiSCSIl.vhd is removed from LON-DC1.
You need to assign VirtualiSCSI2.vhd a logical unit value of 0.
What should you do?
A. Modify the properties of the itgt ISCSI target.

B. Modify the properties of the VirtualiSCSI2.vhd iSCSI virtual disk.
C. Run the Set-VirtualDisk cmdlet and specify the -Uniqueld parameter.
D. Run the iscsicli command and specify the reportluns parameter.
Answer: B
Explanation:
The virtual disk has the option to change the lun ID, no other option available in the
answers appear to allow this change.
Note: Logical unit numbers (LUNs) created on an iSCSI disk storage subsystem are not
directly assigned to a server. For iSCSI, LUNs are assigned to logical entities called
targets.
Your network contains two Web servers named Server1 and Server2. Both servers run
Server1 and Server2 are nodes in a Network Load Balancing (NLB) cluster. The NLB
cluster contains an application named App1 that is accessed by using the URL
http://app1.contoso.com.
You plan to perform maintenance on Server1.
You need to ensure that all new connections to App1 are directed to Server2. The solution
must not disconnect the existing connections to Server1.

What should you run?
A. The Set-NlbCluster cmdlet

B. The Set-NlbClusterNode cmdlet
C. The Stop-NlbCluster cmdlet
D. The Stop-NlbClusterNode cmdlet
Answer: D
Explanation:
The Stop-NlbClusterNode cmdlet stops a node in an NLB cluster. When you use the stop
the nodes in the cluster, client connections that are already in progress are interrupted. To
avoid interrupting active connections, consider using the -drain parameter, which allows the
node to continue servicing active connections but disables all new traffic to that node.
-Drain <SwitchParameter>
Drains existing traffic before stopping the cluster node. If this parameter is omitted, existing
traffic will be dropped.
Reference: Stop-NlbClusterNode
contains a domain controller named DC1 and a member server named Server1. Server1
has the IP Address Management (IPAM) Server feature installed.
On Dc1, you configure Windows Firewall to allow all of the necessary inbound ports for
IPAM.
On Server1, you open Server Manager as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that you can use IPAM on Server1 to manage DNS on DC1.
What should you do?
A. Modify the outbound firewall rules on Server1.

B. Modify the inbound firewall rules on Server1.
C. Add Server1 to the Remote Management Users group.
D. Add Server1 to the Event Log Readers group.
Answer: D
Explanation:
To access configuration data and server event logs, the IPAM server must be a member of
the domain IPAM Users Group (IPAMUG). The IPAM server must also be a member of the
Event Log Readers security group.
Note: The computer account of the IPAM server must be a member of the Event Log
Readers security group.
Reference: Manually Configure DC and NPS Access Settings.

Your network contains 20 iSCSI storage appliances that will provide storage for 50 Hyper-V
hosts running Windows Server 2012 R2.
You need to configure the storage for the Hyper-V hosts. The solution must minimize
administrative effort.
What should you do first?
A. Install the iSCSI Target Server role service and configure iSCSI targets.
B. Install the iSNS Server service feature and create a Discovery Domain.
C. Start the Microsoft iSCSI Initiator Service and configure the iSCSI Initiator Properties.
D. Install the Multipath I/O (MPIO) feature and configure the MPIO Properties.
Answer: A
Explanation:
Windows Server 2012 includes an iSCSI Target role that, along with Failover Clustering,
allows it to become a cost-effective and highly-available iSCSI Storage Array.
We can connect from our Hyper-V host to the iSCSI target on the storage array with the
following PowerShell command line:
New-IscsiTargetPortal –TargetPortalAddress <IP_Address or FQDN of storage array>
$target = Get-IscsiTarget
Connect-IscsiTarget –NodeAddress $target.NodeAddress
Incorrect:
Not B. Discovery Domains in an iSCSI fabric, like zones in a Fibre Channel fabric, enable
you to partition the storage resources in your storage area network (SAN). By creating and
managing Discovery Domains, you can control the iSCSI targets that each iSCSI initiator
can see and log on to.
Reference: Configure iSCSI Target Server Role on Windows Server 2012

You have a server that runs Windows Server 2012 R2.
You create a new work folder named Share1.
You need to configure Share1 to meet the following requirements:
✑ Ensure that all synchronized copies of Share1 are encrypted.

✑ Ensure that clients synchronize to Share1 every 30 minutes.
✑ Ensure that Share1 inherits the NTFS permissions of the parent folder.
Which cmdlet should you use to achieve each requirement?
To answer, drag the appropriate cmdlets to the correct requirements. Each cmdlet may be
used once, more than once, or not at all. You may need to drag the split bar between
panes or scroll to view content.
Answer:

Explanation:
* (box 1) Set-SyncShare
The Set-SyncShare cmdlet modifies the settings for a sync share.
/ parameter: -RequireEncryption<Boolean>
Indicates whether the sync server requests that the contents of Work Folders be encrypted
on each PC and device that accesses the sync share.
* (box 2) Set-SyncServerSettings
Parameter: -MinimumChangeDetectionMins<UInt32>
Specifies the time, in minutes, before the Sync Share server detects changes on devices
and syncs the client and server.
* (box 3): Example: Modify a sync share to enable inherited permissions

This command modifies settings on the share named Share01, and sets
KeepParentFolderPermission to enable the share to inherit permissions from the parent
folder.
Windows PowerShell
PS C:\> Set-SyncShare Share01 -KeepParentFolderPermission
Your company has offices in Montreal, New York, and Amsterdam.
The network contains an Active Directory forest named contoso.com. An Active Directory
site exists for each office. All of the sites connect to each other by using the

DEFAULTIPSITELINK site link.
You need to ensure that only between 20:00 and 08:00, the domain controllers in the
Montreal office replicate the Active Directory changes to the domain controllers in the
Amsterdam office.
The solution must ensure that the domain controllers in the Montreal and the New York
offices can replicate the Active Directory changes any time of day.
What should you do?
A. Create a new site link that contains Montreal and Amsterdam. Remove Amsterdam from
DEFAULTIPSITE1INK. Modify the schedule of DEFAULTIPSITELINK.
B. Create a new site link that contains Montreal and Amsterdam. Create a new site link
bridge. Modify the schedule of DEFAULTIPSITELINK.
C. Create a new site link that contains Montreal and Amsterdam. Remove Amsterdam from
DEFAULTIPSITELINK. Modify the schedule of the new site link.
D. Create a new site link that contains Montreal and Amsterdam. Create a new site link
bridge. Modify the schedule of the new site link.
Answer: C
Explanation:
We create a new site link between Montreal and Amsterdam and schedule it only between
20:00 and 08:00. To ensure that traffic between Montreal and Amsterdam only occurs at
this time we also remove Amsterdam from the DEFAULTIPSITELINK.
Reference: How Active Directory Replication Topology Works
contains a server named Server3 that runs Windows Server 2012 R2 and has the DHCP
Server server role installed.
DHCP is configured as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that only Scope1, Scope3, and Scope5 assign the same DNS servers
to DHCP clients. The solution must minimize administrative effort.
What should you do?
A. Create a superscope and scope-level policies.

B. Configure the Scope Options.
C. Create a superscope and a filter.
D. Configure the Server Options.
Answer: B
Explanation:
Any DHCP scope options can be configured for assignment to DHCP clients, such as DNS
server.
Reference: Configuring a DHCP Scope.
http://technet.microsoft.com/en-us/library/dd759218.aspx

Each day, Server1 is backed up fully to an external disk.
On Server1, the disk that contains the operating system fails.
You replace the failed disk.
You need to perform a bare-metal recovery of Server1 by using the Windows Recovery
Environment (Windows RE).
What should you do?
A. Run the Start-WBVolumeRecovery cmdlet and specify the -backupset parameter.

B. Run the Get-WBBareMetalRecovery cmdlet and specify the -policy parameter.
C. Run the wbadmin.exe start recovery command and specify the -recoverytarget
parameter.
D. Run the wbadmin.exe start sysrecovery command and specify the -backuptarget
parameter.
Answer: D
Explanation:
Performs a system recovery (bare metal recovery). This subcommand can be run only from
the Windows Recovery Environment.
* -backupTarget
Specifies the storage location that contains the backup or backups that you want to
recover. This parameter is useful when the storage location is different from where backups
of this computer are usually stored.
Reference: Wbadmin start sysrecovery
http://technet.microsoft.com/en-us/library/cc742118.aspx

Your company has a primary data center and a disaster recovery data center.
The network contains an Active Directory domain named contoso.com. The domain
contains a server named that runs Windows Server 2012 R2. Server1 is located in the
primary data center.
Server1 has an enterprise root certification authority (CA) for contoso.com.
You deploy another server named Server2 to the disaster recovery data center.
You plan to configure Server2 as a secondary certificate revocation list (CRL) distribution
point.
You need to configure Server2 as a CRL distribution point (CDP).
Which tab should you use to configure the required CDP entry? To answer, select the
appropriate tab in the answer area.

Answer:

Explanation:

To configure the CDP and AIA extensions on CA1
✑ uk.co.certification.simulator.questionpool.PList@d421d50
Etc.

Your network contains an Active Directory domain named contoso.com.
You have a failover cluster named Cluster1 that contains two nodes named Server1 and
Server2. Both servers run Windows Server 2012 R2 and have the Hyper-V server role
installed.
You plan to create two virtual machines that will run an application named App1. App1 will
store data on a virtual hard drive named App1data.vhdx. App1data.vhdx will be shared by
both virtual machines.
The network contains the following shared folders:
✑ An SMB file share named Share1 that is hosted on a Scale-Out File Server.
✑ An SMB file share named Share2 that is hosted on a standalone file server.
✑ An NFS share named Share3 that is hosted on a standalone file server.
You need to ensure that both virtual machines can use App1data.vhdx simultaneously.
What should you do?
To answer, select the appropriate configurations in the answer area.

Answer:
Explanation:
* Simultaneous access to vhd can only be done by scale-out file server
* Create your VHDX data files to be shared as fixed-size or dynamically expanding, on the
disk where you manually attached the Shared VHDX filter. Old VHD files are not allowed.
Differencing disks are not allowed.

You need to create an IPv6 scope on Server1. The scope must use an address space that
is reserved for private networks. The addresses must be routable.
Which IPV6 scope prefix should you use?
A. 2001:123:4567:890A::
B. FE80:123:4567::
C. FF00:123:4567:890A::
D. FD00:123:4567::
Answer: D
Explanation:
* A unique local address (ULA) is an IPv6 address in the block fc00::/7, defined in RFC
4193. It is the approximate IPv6 counterpart of the IPv4 private address.
The address block fc00::/7 is divided into two /8 groups:
/ The block fc00::/8 has not been defined yet.
/ The block fd00::/8 is defined for /48 prefixes, formed by setting the 40 least-significant bits
of the prefix to a randomly generated bit string.
* Prefixes in the fd00::/8 range have similar properties as those of the IPv4 private address
ranges:
/ They are not allocated by an address registry and may be used in networks by anyone
without outside involvement.
/ They are not guaranteed to be globally unique.
/ Reverse Domain Name System (DNS) entries (under ip6.arpa) for fd00::/8 ULAs cannot
be delegated in the global DNS.
Reference: RFC 4193
Your network contains an Active Directory domain named contoso.com. All file servers in
the domain run Windows Server 2012 R2.
The computer accounts of the file servers are in an organizational unit (OU) named OU1. A
Group Policy object (GPO) named GPO1 is linked to OU1.

You plan to modify the NTFS permissions for many folders on the file servers by using
central access policies.
You need to identify any users who will be denied access to resources that they can
currently access once the new permissions are implemented.
In which order should you Perform the five actions?
Answer:
Explanation:

* Configure a central access rule

* Configure a central access policy (CAP) (with help of central access rules)
* Deploy the central access policy (through GPO)
* Modify security settings
* Check the result
Your network contains two Active Directory forests named contoso.com and adatum.com.
Contoso.com contains one domain. Adatum.com contains a child domain named

child.adatum.com.
Contoso.com has a one-way forest trust to adatum.com. Selective authentication is

enabled on the forest trust.
Several user accounts are migrated from child.adatum.com to adatum.com.

Users report that after the migration, they fail to access resources in contoso.com. The
users successfully accessed the resources in contoso.com before the accounts were
migrated.
You need to ensure that the migrated users can access the resources in contoso.com.
What should you do?
A. Replace the existing forest trust with an external trust.

B. Run netdom and specify the /quarantine attribute.
C. Disable SID filtering on the existing forest trust.
D. Disable selective authentication on the existing forest trust.
Answer: C
Explanation:
Security Considerations for Trusts

Need to gain access to the resources in contoso.com
Disabling SID Filter Quarantining on External Trusts

Although it reduces the security of your forest (and is therefore not recommended), you can
disable SID filter quarantining for an external trust by using the Netdom.exe tool. You
should consider disabling SID filter quarantining only in the following situations:
* Users have been migrated to the trusted domain with their SID histories preserved, and
you want to grant them access to resources in the trusting domain based on the SID history
attribute.
Etc.
Incorrect:
Not B. Enables administrators to manage Active Directory domains and trust relationships
from the command prompt, /quarantine Sets or clears the domain quarantine.
Not D. Selective authentication over a forest trust restricts access to only those users in a
trusted forest who have been explicitly given authentication permissions to computer
objects (resource computers) that reside in the trusting forest.
Reference: Security Considerations for Trusts

Your network contains two Hyper-V hosts that are configured as shown in the following
table.
You create a virtual machine on Server1 named VM1.
You plan to export VM1 from Server1 and import VM1 to Server2.
You need to ensure that you can start the imported copy of VM1 from snapshots.
What should you configure on VM1?
To answer, select the appropriate node in the answer area.

Answer:

Explanation:

Note:
* If the CPUs are from the same manufacturer but not from the same type, you may need
to use Processor Compatibility.
(Incorrect) The network adapter is already disconnected.
Your network contains an Active Directory domain named contoso.com. All domain
controllers run Windows Server 2012 R2. The domain contains two domain controllers.
The domain controllers are configured as shown in the following table.

You configure a user named User1 as a delegated administrator of DC10.
You need to ensure that User1 can log on to DC10 if the network link between the Main
site and the Branch site fails.
What should you do?
A. Add User1 to the Domain Admins group.

B. On DC10, modify the User Rights Assignment in Local Policies.
C. Run repadmin and specify the /prp parameter.
D. On DC10, run ntdsutil and configure the settings in the Roles context.
Answer: C
Explanation:
repadmin /prp will allow the password caching of the local administrator to the RODC.
This command lists and modifies the Password Replication Policy (PRP) for read-only
domain controllers (RODCs).
Reference: RODC Administration
https://technet.microsoft.com/en-us/library/cc755310%28v=ws.10%29.aspx
You have a file server named Server1 that runs Windows Server 2012 R2.
You need to ensure that you can use the NFS Share - Advanced option from the New
Share Wizard in Server Manager.

Which two role services should you install?
To answer, select the appropriate two role services in the answer area.
Answer:

Explanation:
*File Server Resource Manager Role

File Server Resource Manager is a set of features that allow you to manage and classify
data that is stored on file servers.
Note: NFS Share – Advanced

This advanced profile offers additional options to configure a NFS file share.
Set the folder owners for access-denied assistance

Configure default classification of data in the folder for management and access policies
Enable quotas
contains two DHCP servers named Server1 and Server2. Both servers have multiple IPv4
scopes.
Server1 and Server2 are used to assign IP addresses for the network IDs of 172.20.0.0/16
and 131.107.0.0/16.

You install the IP Address Management (IPAM) Server feature on a server named IPAM1
and configure IPAM1 to manage Server1 and Server2.
Some users from the 172.20.0.0 network report that they occasionally receive an IP
address conflict error message.
You need to identify whether any scopes in the 172.20.0.0 network ID conflict with one
another.
What Windows PowerShell cmdlet should you run?
Answer:
Explanation:

Type the following command at a Windows PowerShell prompt and press ENTER:
PS C:\> Get-IpamRange –AddressFamily IPv4 –AddressCategory Private|where-object

{$_.Overlapping –eq “True”}
The previous command will display any overlapping IP address ranges, if they exist.
You have a Hyper-V host named Server1 that runs Windows Server 2012 R2. Server1
contains a virtual machine named VM1 that runs Windows Server 2012 R2.
You fail to start VM1 and you suspect that the boot files on VM1 are corrupt.
On Server1, you attach the virtual hard disk (VHD) of VM1 and you assign the VHD a drive
letter of F.
You need to repair the corrupt boot files on VM1.
A. bootrec.exe /rebuildbcd
B. bootrec.exe /scanos
C. bcdboot.exe f:\windows /s c:
D. bcdboot.exe c:\windows /s f:

Answer: D
Explanation:
Enables you to quickly set up a system partition, or to repair the boot environment located
on the system partition. The system partition is set up by copying a simple set of Boot
Configuration Data (BCD) files to an existing empty partition.
Reference: BCDboot Command-Line Options
Your network contains an Active Directory forest named contoso.com. The forest contains
two domains named contoso.com and childl.contoso.com. The domains contain three
domain controllers.

You need to ensure that the KDC support for claims, compound authentication, and
kerberos armoring setting is enforced in the child1.contoso.com domain.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A. Upgrade DC1 to Windows Server 2012 R2.

B. Upgrade DC11 to Windows Server 2012 R2.
C. Raise the domain functional level of childl.contoso.com.
D. Raise the domain functional level of contoso.com.
E. Raise the forest functional level of contoso.com.
Answer: A,D
Explanation:
The root domain in the forest must be at Windows Server 2012 level. First upgrade DC1 to
this level (A), then raise the contoso.com domain functional level to Windows Server 2012
(D).
* (A) To support resources that use claims-based access control, the principal’s domains
will need to be running one of the following:
/ All Windows Server 2012 domain controllers
/ Sufficient Windows Server 2012 domain controllers to handle all the Windows 8 device
authentication requests
/ Sufficient Windows Server 2012 domain controllers to handle all the Windows Server
2012 resource protocol transition requests to support non-Windows 8 devices.
Reference: What's New in Kerberos Authentication
http://technet.microsoft.com/en-us/library/hh831747.aspx.

three domains. All domain controllers run Windows Server 2012 R2.
The forest has a two-way realm trust to a Kerberos realm named adatum.com.
You discover that users in adatum.com can only access resources in the root domain of
contoso.com.
You need to ensure that the adatum.com users can access the resources in all of the
domains in the forest.
What should you do in the forest?
A. Delete the realm trust and create a forest trust.

B. Delete the realm trust and create three external trusts.
C. Modify the incoming realm trust.
D. Modify the outgoing realm trust.
Answer: D
Explanation:
* A one-way, outgoing realm trust allows resources in your Windows Server domain (the
domain that you are logged on to at the time that you run the New Trust Wizard) to be
accessed by users in the Kerberos realm.
* You can establish a realm trust between any non-Windows Kerberos version 5 (V5) realm
and an Active Directory domain. This trust relationship allows cross-platform interoperability
with security services that are based on other versions of the Kerberos V5 protocol, for
example, UNIX and MIT implementations. Realm trusts can switch from nontransitive to
transitive and back. Realm trusts can also be either one-way or two-way.
Reference: Create a One-Way, Outgoing, Realm Trust

contains a file server named Server1 that runs Windows Server 2012 R2. All client
computers run Windows 8.
You need to configure a custom Access Denied message that will be displayed to users
when they are denied access to folders or files on Server1.
What should you configure?
A. A classification property
B. The File Server Resource Manager Options
C. A file management task
D. A file screen template
Answer: B
Explanation:
Access-denied assistance can be configured by using the File Server Resource Manager
console on the file server.
Note: Access-denied assistance is a new feature in Windows Server 2012, which provides
the following ways to troubleshoot issues that are related to access to files and folders:
* Self-assistance. If a user can determine the issue and remediate the problem so that they
can get the requested access, the impact to the business is low, and no special exceptions
are needed in the central access policy. Access-denied assistance provides an access-
denied message that file server administrators can customize with information specific to
their organizations. For example, an administrator could set the message so that users can
request access from a data owner without involving the file server administrator.
Reference: Scenario: Access-Denied Assistance

2012 R2.
Server1 and Server2 have the Network Load Balancing (NLB) feature installed. The
servers are configured as nodes in an NLB cluster named Cluster1. Both servers connect
to the same switch.
Cluster1 hosts a secure web Application named WebApp1. WebApp1 saves user state
information in a central database.
You need to ensure that the connections to WebApp1 are distributed evenly between the
nodes. The solution must minimize port flooding.
What should you configure? To answer, configure the appropriate affinity and the
appropriate mode for Cluster1 in the answer area.
Answer:

Explanation:
The Affinity parameter is applicable only for the Multiple hosts filtering mode.
/ The Single option specifies that NLB should direct multiple requests from the same client
IP address to the same cluster host.
Your network contains an Active Directory domain named contoso.com. All client
computers run Windows 8 Enterprise.
You have a remote site that only contains client computers. All of the client computer
accounts are located in an organizational unit (OU) named Remote1. A Group Policy object

(GPO) named GPO1 is linked to the Remote1 OU.
You need to configure BranchCache for the remote site.
Which two settings should you configure in GPO1?
To answer, select the two appropriate settings in the answer area.
Answer:
Explanation:

BranchCache is disabled by default on client computers. Take the following steps to enable
BranchCache on client computers:
1. Turn on BranchCache.
2. Enable either Distributed Cache mode or Hosted Cache mode.
3. Configure the client firewall to enable BranchCache protocols.
contains domain controllers that run either Windows Server 2003, Windows Server 2008
R2, or Windows Server 2012 R2.
You plan to implement a new Active Directory forest. The new forest will be used for testing
and will be isolated from the production network.
In the test network, you deploy a server named Server1 that runs Windows Server 2012
R2.
You need to configure Server1 as a new domain controller in a new forest named
contoso.test.
The solution must meet the following requirements:
✑ The functional level of the forest and of the domain must be the same as that of
contoso.com.
✑ Server1 must provide name resolution services for contoso.test.
What should you do?
To answer, configure the appropriate options in the answer area.


Answer:
Explanation:

Set the forest function level and the Domain functional level both to Windows Server 2003.
Also check Domain Name (DNS) server.
Note:
* When you deploy AD DS, set the domain and forest functional levels to the highest value
that your environment can support. This way, you can use as many AD DS features as
possible. For example, if you are sure that you will never add domain controllers that run
Windows Server 2003 to the domain or forest, select the Windows Server 2008 functional
level during the deployment process. However, if you might retain or add domain
controllers that run Windows Server 2003, select the Windows Server 2003 functional level.
* You can set the domain functional level to a value that is higher than the forest functional
level. For example, if the forest functional level is Windows Server 2003, you can set the
domain functional level to Windows Server 2003or higher.
Your network contains an Active Directory forest named adatum.com. The forest contains a
single domain. The domain contains four servers. The servers are configured as shown in
the following table.

You need to update the schema to support a domain controller that will run Windows
Server 2012 R2.
On which server should you run adprep.exe?
A. Server1
B. DC3
C. DC2
D. DC1
Answer: B
Explanation:
We must use the Windows Server 2008 R2 Server.
Upgrade Domain Controllers to Windows Server 2012 R2 and Windows Server 2012
You can use adprep.exe on domain controllers that run 64-bit versions of Windows Server
2008 or Windows Server 2008 R2 to upgrade to Windows Server 2012. You cannot
upgrade domain controllers that run Windows Server 2003 or 32-bit versions of Windows
Server 2008. To replace them, install domain controllers that run a later version of
Windows Server in the domain, and then remove the domain controllers that Windows
Server 2003.
Reference: Upgrade Domain Controllers to Windows Server 2012 R2 and Windows Server
2012, Supported in-place upgrade paths.
http://technet.microsoft.com/en-us/library/hh994618.aspx#BKMK_UpgradePaths
You need to ensure that third-party devices can use Workplace Join to access domain
resources on the Internet.
Which four actions should you perform in sequence?

To answer, move the appropriate four actions from the list of actions to the answer area
and arrange them in the correct order.
Answer:
Explanation:
Box 1:
Box 2:

Box 3:
Box 4:
Note:
* Checklist: Deploying a Federation Server Farm include:
(Box 1) Enroll a Secure Socket Layer (SSL) certificate for AD FS.
(Box 2) Install the AD FS role service.
(Box 3, box 4) Optional step: Configure a federation server with Device Registration
Service (DRS).
Box 3: To enable Device Registration Service.
On your federation server, open a Windows PowerShell command window and type:
Enable-AdfsDeviceRegistration
Repeat this step on each federation farm node in your AD FS farm..
Box 4: Update the Web Application Proxy configuration
The Device Registration Service will be available through the Web Application Proxy once
it is enabled on a federation server. You may need to complete this procedure to update
the Web Application Proxy configuration if it was deployed prior to enabling the Device
Registration Service.
* Workplace Join is made possible by the Device Registration Service (DRS) that is
included with the Active Directory Federation Role in Windows Server 2012 R2. When a
device is Workplace Joined, the DRS provisions a device object in Active Directory and
sets a certificate on the consumer device that is used to represent the device identity. The
DRS is meant to be both internal and external facing. Companies that deploy both DRS
and the Web Application Proxy will be able to Workplace Join devices from any internet
connected location.

Your network contains two DNS servers named DNS1 and DNS2 that run Windows Server
2012 R2.
DNS1 has a primary zone named contoso.com. DNS2 has a secondary copy of the
contoso.com zone.
You need to log the zone transfer packets sent between DNS1 and DNS2.
A. Monitoring from DNS Manager

B. Logging from Windows Firewall with Advanced Security
C. A Data Collector Set (DCS) from Performance Monitor
D. Debug logging from DNS Manager
Answer: D
Explanation:
Debug logging allows you to log the packets sent and received by a DNS server. Debug
logging is disabled by default, and because it is resource intensive, you should only
activate it temporarily when you need more specific detailed information about server
performance.
Reference: Active Directory 2008: DNS Debug Logging Facts.
You have a server named SCI that runs a Server Core Installation of Windows Server 2012
R2. Shadow copies are enabled on all volumes.
You need to delete a specific shadow copy. The solution must minimize server downtime.
Which tool should you use?

A. Shadow
B. Diskshadow
C. Wbadmin
D. Diskpart
Answer: B
Explanation:
DiskShadow.exe is a tool that exposes the functionality offered by the Volume Shadow
Copy Service (VSS).
The diskshadow command delete shadows deletes shadow copies.
Reference: Technet, Diskshadow
Your network contains an Active directory forest named contoso.com. The forest contains
two child domains named east.contoso.com and west.contoso.com.
You install an Active Directory Rights Management Services (AD RMS) cluster in each
child domain.
You discover that all of the users in the contoso.com forest are directed to the AD RMS
cluster in east.contoso.com.

You need to ensure that the users in west.contoso.com are directed to the AD RMS cluster
in west.contoso.com and that the users in east.contoso.com are directed to the AD RMS
cluster in east.contoso.com.
What should you do?
A. Modify the Service Connection Point (SCP).

B. Configure the Group Policy object (GPO) settings of the users in the west.contoso.com
domain.
C. Configure the Group Policy object (GPO) settings of the users in the east.contoso.com
domain.
D. Modify the properties of the AD RMS cluster in west.contoso.com.
Answer: B
Explanation:
The west.contoso.com are the ones in trouble that need to be redirected to the
west.contoso.com not the east.contoso.com.
Note: It is recommended that you use GPO to deploy AD RMS client settings and that you
only deploy settings as needed.
Reference: AD RMS Best Practices Guide
Active Directory Certificate Services server role installed and is configured as an enterprise
certification authority (CA).
You need to ensure that all of the users in the domain are issued a certificate that can be
used for the following purposes:
✑ Email security
✑ Client authentication
✑ Encrypting File System (EFS)

Choose two.)
A. From a Group Policy, configure the Certificate Services Client – Auto-Enrollment

settings.
B. From a Group Policy, configure the Certificate Services Client – Certificate Enrollment
Policy settings.
C. Modify the properties of the User certificate template, and then publish the template.
D. Duplicate the User certificate template, and then publish the template.
E. From a Group Policy, configure the Automatic Certificate Request Settings settings.
Answer: A,D
Explanation:
The default user template supports all of the requirements EXCEPT auto enroll as shown
below:
However a duplicated template from users has the ability to autoenroll:

The Automatic Certificate Request Settings GPO setting is only available to Computer, not
user.
Reference: Manage Certificate Enrollment Policy by Using Group Policy.
A previous administrator implemented a Proof of Concept installation of Active Directory

Rights Management Services (AD RMS).
After the proof of concept was complete, the Active Directory Rights Management Services
server role was removed.
You attempt to deploy AD RMS.
During the configuration of AD RMS, you receive an error message indicating that an
existing AD RMS Service Connection Point (SCP) was found.
You need to remove the existing AD RMS SCP.
A. Active Directory Users and Computers

B. Authorization Manager
C. Active Directory Domains and Trusts
D. Active Directory Sites and Services
E. Active Directory Rights Management Services
Answer: E
Explanation:
ADRMS will registered the Service Connection Point (SCP) in Active Directory and you will
need to unregister first before you remove the ADRMS server role.
If your ADRMS server is still alive, you can easily manually remove the SCP by below:

http://www.rickygao.com/wp-content/uploads/2013/08/080513_1308_Howtomanual1.png

http://www.rickygao.com/wp-content/uploads/2013/08/080513_1308_Howtomanual2.png
Reference: How to manually remove or reinstall ADRMS
You have 20 servers that run Windows Server 2012 R2.
You need to create a Windows PowerShell script that registers each server in Windows
Azure Backup and sets an encryption passphrase.

Which two PowerShell cmdlets should you run in the script? (Each correct answer presents
part of the solution. Choose two.)
A. New-OBPolicy
B. New-OBRetentionPolicy
C. Add-OBFileSpec
D. Start-OBRegistration
E. Set OBMachineSetting
Answer: D,E
Explanation:
D. Start-OBRegistration
Registers the current computer with Windows Azure Online Backup using the credentials
(username and password) created during enrollment.
E. The Set-OBMachineSetting cmdlet sets a OBMachineSetting object for the server that
includes proxy server settings for accessing the internet, network bandwidth throttling
settings, and the encryption passphrase that is required to decrypt the files during recovery
to another server.
Incorrect:
Not C. TheAdd-OBFileSpeccmdlet adds theOBFileSpecobject, which specifies the items to
include or exclude from a backup, to the backup policy (OBPolicyobject).
TheOBFileSpecobject can include or exclude multiple files, folders, or volumes.
Reference: Start-OBRegistration; Set OBMachineSetting
contains a domain controller named DC1 that runs Windows Server 2012 R2. DC1 has the
DNS Server server role installed.
The network contains client computers that run either Linux, Windows 7, or Windows 8.

You have a standard primary zone named adatum.com as shown in the exhibit. (Click the
Exhibit button.)
You plan to configure Name Protection on all of the DHCP servers.
You need to configure the adatum.com zone to support Name Protection.
Which two configurations should you perform from DNS Manager? (Each correct answer
presents part of the solution. Choose two.)
A. Sign the zone.

B. Store the zone in Active Directory.

C. Modify the Security settings of the zone.
D. Configure Dynamic updates.
E. Add a DNS key record
Answer: B,D
Explanation:
Name protection requires secure update to work. Without name protection DNS names
may be hijacked.
You can use the following procedures to allow only secure dynamic updates for a zone.
Secure dynamic update is supported only for Active Directory–integrated zones. If the zone
type is configured differently, you must change the zone type and directory-integrate the
zone before securing it for Domain Name System (DNS) dynamic updates.
1. (B) Convert primary DNS server to Active Directory integrated primary

2. (D) Enable secure dynamic updates

Reference: DHCP: Secure DNS updates should be configured if Name Protection is

enabled on any IPv4 scope
http://technet.microsoft.com/en-us/library/ee941152(v=ws.10).aspx

An administrator installs the IP Address Management (IPAM) Server feature on a server

named Server2. The administrator configures IPAM by using Group Policy based
provisioning and starts server discovery.
You plan to create Group Policies for IPAM provisioning.
You need to identify which Group Policy object (GPO) name prefix must be used for IPAM
Group Policies.
What should you do on Server2?
A. From Server Manager, review the IPAM overview.

B. Run the ipamgc.exe tool.
C. From Task Scheduler, review the IPAM tasks.
D. Run the Get-IpamConfiguration cmdlet.
Answer: D
Explanation:
Example:
http://i.imgur.com/YcHLXhr.jpg
Server1 is backed up by using Windows Server Backup. The backup configuration is

shown in the exhibit. (Click the Exhibit button.)

You discover that only the last copy of the backup is maintained.
You need to ensure that multiple backup copies are maintained.
What should you do?
A. Modify the backup destination.

B. Configure the Optimize Backup Performance settings.
C. Modify the Volume Shadow Copy Service (VSS) settings.
D. Modify the backup times.
Answer: A
Explanation:
The destination in the exhibit shows a network share is used. If a network share is being
used only the latest copy will be saved

Reference: Where should I save my backup?
http://windows.microsoft.com/en-us/windows7/where-should-i-save-my-backup
contains a server named Server1 that runs Windows Server 2012 R2 and has the DNS
Server1 has a zone named contoso.com. The zone is configured as shown in the exhibit.
(Click the Exhibit button.)

You need to assign a user named User1 permission to add and delete records from the
contoso.com zone only.
A. Enable the Advanced view from DNS Manager.

B. Add User1 to the DnsUpdateProxy group.
C. Run the New Delegation Wizard.
D. Configure the zone to be Active Directory-integrated.
Answer: D
Explanation:
Secure dynamic updates are only supported or configurable for resource records in zones
that are stored in Active Directory Domain Services (AD DS).

Note: To modify security for a resource record
✑ Open DNS Manager.
✑ In the console tree, click the applicable zone.
✑ In the details pane, click the record that you want to view.
✑ On the Action menu, click Properties.
✑ On the Security tab, modify the list of member users or groups that are allowed to
securely update the applicable record and reset their permissions as needed.
Reference: Modify Security for a Resource Record
contains four member servers named Server1, Server2, Servers, and Server4. All servers
run Windows Server 2012 R2.
Server1 and Server2 are located in a site named Site1. Server3 and Server4 are located in
a site named Site2. The servers are configured as nodes in a failover cluster named
Cluster1.
Cluster1 is configured to use the Node Majority quorum configuration.
You need to ensure that Server1 is the only server in Site1 that can vote to maintain
quorum.
What should you run from Windows PowerShell?
To answer, drag the appropriate commands to the correct location. Each command may be

Answer:
Explanation:
We remove Server2 from quorum vote by setting it's NodeWeight to 0.
NodeWeight settings are used during quorum voting to support disaster recovery and multi-
subnet scenarios for AlwaysOn Availability Groups and SQL Server Failover Cluster
Instances.
Example (Powershell)
The following example changes the NodeWeight setting to remove the quorum vote for the
“AlwaysOnSrv1” node.
Import-Module FailoverClusters
$node = “AlwaysOnSrv1”
(Get-ClusterNode $node).NodeWeight = 0
Your network contains two servers named HV1 and HV2. Both servers run Windows
Server 2012 R2 and have the Hyper-V server role installed.
HV1 hosts 25 virtual machines. The virtual machine configuration files and the virtual hard
disks are stored in D:\VM.
You shut down all of the virtual machines on HV1.

You copy D:\VM to D:\VM on HV2.
You need to start all of the virtual machines on HV2. You want to achieve this goal by using
the minimum amount of administrative effort.
What should you do?
A. Run the Import-VMInitialReplication cmdlet.

B. From HV1, export all virtual machines to D:\VM. Copy D:\VM to D:\VM on HV2 and
overwrite the existing files. On HV2, run the Import Virtual Machine wizard.
C. From HV1, export all virtual machines to D:\VM. Copy D:\VM to D:\VM on HV2 and
overwrite the existing files. On HV2, run the New Virtual Machine wizard.
D. Run the Import-VM cmdlet.
Answer: D
Explanation:
Import-VM
Imports a virtual machine from a file.
Example
Imports the virtual machine from its configuration file. The virtual machine is registered in-
place, so its files are not copied.
Windows PowerShell
PS C:\> Import-VM –Path 'D:\Test\VirtualMachines\5AE40946-3A98-428E-8C83-
081A3C6BD18C.XML'
Reference: Import-VM
You have a server named Server1.
You install the IP Address Management (IPAM) Server feature on Server1.
You need to provide a user named User1 with the ability to set the access scope of all the

DHCP servers that are managed by IPAM. The solution must use the principle of least
privilege.
Which user role should you assign to User1?
A. DNS Record Administrator Role

B. IPAM DHCP Reservations Administrator Role
C. IPAM Administrator Role
D. IPAM DHCP Administrator Role
Answer: D
Explanation:
The IPAM DHCP administrator role completely manages DHCP servers.
Reference: What's New in IPAM
contains a server named Server1 that runs Windows Server 2012 R2. The system

properties of Server1 are shown in the exhibit. (Click the Exhibit button.)
You need to configure Server1 as an enterprise subordinate certification authority (CA).
A. Add RAM to the server.

B. Set the Startup Type of the Certificate Propagation service to Automatic.
C. Install the Certification Authority Web Enrollment role service.
D. Join Server1 to the contoso.com domain.
Answer: D
Explanation:
Enterprise CAs must be domain members. From the exhibit we see that it is only a
Workgroup member.
Note:
A new CA can be the root CA of a new PKI or subordinate to another in an existing PKI.
Enterprise subordinate certification authority.
An enterprise subordinate CA must get a CA certificate from an enterprise root CA but can
then issue certificates to all users and computers in the enterprise. These types of CAs are
often used for load balancing of an enterprise root CA.

Reference: Install a Subordinate Certification Authority
When you install a custom Application on Server1 and restart the server, you receive the
following error message: "The Boot Configuration Data file is missing some required
information.
File: \Boot\BCD
Error code: 0x0000034."
You start Server1 by using Windows RE.
You need to ensure that you can start Windows Server 2012 R2 on Server1.

A. Bootsect
B. Bootim
C. Bootrec
D. Bootcfg
Answer: C
Explanation:
* Bootrec.exe tool to troubleshoot "Bootmgr Is Missing" issue. The /ScanOs option scans
all disks for installations that are compatible with Windows Vista or Windows 7.
Additionally, this option displays the entries that are currently not in the BCD store. Use this
option when there are Windows Vista or Windows 7 installations that the Boot Manager
menu does not list.
* Error code 0x0000034 while booting.
Resolution:
1. Put the Windows Windows 7 installation disc in the disc drive, and then start the
computer.
2. Press any key when the message indicating "Press any key to boot from CD or DVD …".
appears.
3. Select a language, time, currency, and a keyboard or another input method. Then click
Next.
4. Click Repair your computer.
5. Click the operating system that you want to repair, and then click Next.
6. In the System Recovery Options dialog box, click Command Prompt.
7. Type Bootrec /RebuildBcd, and then press ENTER.
Incorrect:
Not A. Bootsect.exe updates the master boot code for hard disk partitions to switch
between BOOTMGR and NTLDR. You can use this tool to restore the boot sector on your
computer. This tool replaces FixFAT and FixNTFS.
Not D. The bootcfg command is a Microsoft Windows Server 2003 utility that modifies the
Boot.ini file.
Reference: Bootsect Command-Line Options
http://support.microsoft.com/kb/927392/en-us

http://answers.microsoft.com/en-us/windows/forum/windows_7-system/error-code-
0x0000034-in-windows-7/4dcb8d38-a206-40ed-bced-55e4a4de9bf2
Your network contains an Active Directory forest named contoso.com that contains a single
domain. The forest contains three sites named Site1, Site2, and Site3.
Domain controllers run either Windows Server 2008 R2 or Windows Server 2012 R2.
Each site contains two domain controllers. Site1 and Site2 contain a global catalog server.
You need to create a new site link between Site1 and Site2. The solution must ensure that
the site link supports the replication of all the naming contexts.
From which node should you create the site link?

Answer:
Explanation:

Create a Site Link
To create a site link
✑ Open Active Directory Sites and Services. To open Active Directory Sites and
Services, click Start, click Administrative Tools, and then click Active Directory
Sites and Services.
To open Active Directory Sites and Services in Windows Server® 2012, click Start, type
dssite.msc.
✑ In the console tree, right-click the intersite transport protocol that you want the site
link to use.
Use the IP intersite transport unless your network has remote sites where network
connectivity is intermittent or end-to-end IP connectivity is not available. Simple Mail
Transfer Protocol (SMTP) replication has restrictions that do not apply to IP replication.
You have a virtual machine named VM1 that runs on a host named Host1.
You configure VM1 to replicate to another host named Host2. Host2 is located in the same
physical location as Host1.
You need to add an additional replica of VM1. The replica will be located in a different

physical site.
What should you do?
A. From VM1 on Host2, click Extend Replication.

B. On Host1, configure the Hyper-V settings.
C. From VM1 on Host1, click Extend Replication.
D. On Host2, configure the Hyper-V settings.
Answer: A
Explanation:
Extend Replication through UI:
Before you Extend Replication to third site, you need to establish the replication between a
primary server and replica server.
Once that is done, go to replica site and from Hyper-V UI manager select the VM for which
you want to extend the replication. Right click on VM and select “Replication->Extend
Replication …”. This will open Extend Replication Wizard which is similar to Enable
Replication Wizard.
NOTE: You configure a server to receive replication with Hyper-V Manager, in this situation
the replica site is assumed to be the Replica Server. Therefore you extend replication from
VM1 on Host2.
Note 2: With Hyper-V Extend Replication feature in Windows Server 2012 R2, customers
can have multiple copies of data to protect them from different outage scenarios. For
example, as a customer I might choose to keep my second DR site in the same campus or
a few miles away while I want to keep my third copy of data across the continents to give
added protection for my workloads. Hyper-V Replica Extend replication exactly addresses
this problem by providing one more copy of workload at an extended site apart from replica
site.
Reference: Hyper-V Replica: Extend Replication
http://blogs.technet.com/b/virtualization/archive/2013/12/10/hyper-v-replica-extend-
replication.aspx

contains four servers named Server1, Server2, Server3, and Server4 that run Windows
Server 2012 R2. All servers have the Hyper-V server role and the Failover Clustering
feature installed.
You need to replicate virtual machines from Cluster1 to Cluster2.
Which three actions should you perform? (Each correct answer presents part of the
solution. Choose three.)
A. From Hyper-V Manager on a node in Cluster2, create three virtual machines.

B. From Cluster2, add and configure the Hyper-V Replica Broker role.
C. From Failover Cluster Manager on Cluster1, configure each virtual machine for
replication.
D. From Cluster1, add and configure the Hyper-V Replica Broker role.
E. From Hyper-V Manager on a node in Cluster2 modify the Hyper-V settings.
Answer: C,D,E
Explanation:
D. You must configure the Hyper-V Replica Broker for cluster1.
E. We must configure configure the Replica server to receive replication from primary
servers:
✑ In Hyper-V Manager, click Hyper-V Settings in the Actions pane.
✑ In the Hyper-V Settings dialog, click Replication Configuration.
✑ In the Details pane, select Enable this computer as a Replica server.
C. Enable virtual machine replication.

Once the hosting server is configured for Replica, you can enable replication for each
virtual machine that you want to be replicated.

Reference: Deploy Hyper-V Replica
https://technet.microsoft.com/en-us/library/jj134207.aspx
You have 30 servers that run Windows Server 2012 R2.
All of the servers are backed up daily by using Windows Azure Online Backup.
You need to perform an immediate backup of all the servers to Windows Azure Online
Backup.
Which Windows PowerShell cmdlets should you run on each server?
A. Get-OBPolicy | StartOBBackup
B. Start-OBRegistration | StartOBBackup
C. Get-WBPolicy | Start-WBBackup
D. Get-WBBackupTarget | Start-WBBackup
Answer: A
Explanation:
This example starts a backup job using a policy.
Windows PowerShell
PS C:\> Get-OBPolicy | Start-OBBackup
Incorrect:
Not B. Registers the current computer to Windows Azure Backup.
Not C. Not using Azure
Not D. Not using Azure
Reference: Start-OBBackup
http://technet.microsoft.com/en-us/library/hh770406(v=wps.620).aspx

Your company recently deployed a new Active Directory forest named contoso.com. The
first domain controller in the forest runs Windows Server 2012 R2.
You need to identify the time-to-live (TTL) value for domain referrals to the NETLOGON
and SYSVOL shared folders.
A. Ultrasound
B. Replmon
C. Dfsdiag
D. Frsutil
Answer: C
Explanation:
DFSDIAG can check your configuration in five different ways:
Checking referral responses (DFSDIAG /TestReferral)

Checking domain controller configuration
Checking site associations
Checking namespace server configuration
Checking individual namespace configuration and integrity
Reference: Five ways to check your DFS-Namespaces (DFS-N) configuration with the
DFSDIAG.EXE tool
You have a server named Server1 that runs Windows Server 2012 R2 and is used for
testing.

A developer at your company creates and installs an unsigned kernel-mode driver on
Server1. The developer reports that Server1 will no longer start.
You need to ensure that the developer can test the new driver. The solution must minimize
the amount of data loss.
Which Advanced Boot Option should you select?
A. Disable Driver Signature Enforcement

B. Disable automatic restart on system failure
C. Last Know Good Configuration (advanced)
D. Repair Your Computer
Answer: A
Explanation:
A. By default, 64-bit versions of Windows Vista and later versions of Windows will load a
kernel-mode driver only if the kernel can verify the driver signature. However, this default
behavior can be disabled to facilitate early driver development and non-automated testing.
Incorrect:

Not B. specifies that Windows automatically restarts your computer when a failure occurs.
Not C. Developer would not be able to test the driver as needed.
Not D. Removes or repairs critical windows files, Developer would not be able to test the
driver as needed and some file loss.
Reference: Installing Windows Server 2012.
http://msdn.microsoft.com/en-us/library/windows/hardware/ff547565(v=vs.85).aspx
Your network contains three Active Directory forests. The forests are configured as shown
in the following table.
A two-way forest trust exists between contoso.com and divisionl.contoso.com. A two-way

forest trust also exists between contoso.com and division2.contoso.com.
You plan to create a one-way forest trust from divisionl.contoso.com to

division2.contoso.com.
You need to ensure that any cross-forest authentication requests are sent to the domain
controllers in the appropriate forest after the trust is created.
How should you configure the existing forest trust settings?
In the table below, identify which configuration must be performed in each forest. Make
only one selection in each column. Each correct selection is worth one point.

Answer:
Explanation:

There will be a one-way forest trust from division1.contoso.com to division2.contoso.com
Division1 trusts Division2. Division2 must be able to access resources in Division1.
Division1 should not be able to access resources in Division2.
You create a new virtual disk in a storage pool by using the New Virtual Disk Wizard. You
discover that the new virtual disk has a write-back cache of 1 GB.
You need to ensure that the virtual disk has a write-back cache of 5 GB.
What should you do?
A. Detach the virtual disk, and then run the Resize-VirtualDisk cmdlet.
B. Detach the virtual disk, and then run the Set-VirtualDisk cmdlet.
C. Delete the virtual disk, and then run the New-StorageSubSystemVirtualDisk cmdlet.
D. Delete the virtual disk, and then run the New-VirtualDisk cmdlet.
Answer: D
Explanation:
So what about changing the cache size? Well, you can't modify the cache size, but you can
specify it at the time that you create a new virtual hard disk. In order to do so, you have to
use Windows PowerShell.
New-VirtualDisk –StoragePoolFriendlyName "<storage pool name>" –FriendlyName "<v
Reference: Using Windows Server 2012's SSD Write-Back Cache
Topic 2, Volume B

2012 R2.
configured as nodes in a failover cluster named Cluster1.
Cluster1 hosts an Application named App1.
You need to ensure that Server2 handles all of the client requests to the cluster for App1.
The solution must ensure that if Server2 fails, Server1 becomes the active node for App1.
A. Affinity-None
B. Affinity-Single
C. The cluster quorum settings
D. The failover settings
E. A file server for general use
F. The Handling priority
G. The host priority
H. Live migration
I. The possible owner
J. The preferred owner
K. Quick migration
L. the Scale-Out File Server
Answer: J
Explanation:
The preferred owner in a two-server cluster will always be the active node unless it is
down.
Reference: Preferred Owners in a Cluster
http://blogs.msdn.com/b/clustering/archive/2008/10/14/9000092.aspx

2012 R2.
You add two additional nodes in Cluster1.
You have a folder named Folder1 on Server1 that hosts Application data. Folder1 is a
folder target in a Distributed File System (DFS) namespace.
You need to provide highly available access to Folder1. The solution must support DFS
Replication to Folder1.
A. Affinity-None
B. Affinity-Single
H. Live migration
K. Quick migration
L. The Scale-Out File Server
Answer: E
Explanation:
File Server for general use

Note: You can deploy and configure a clustered file server by using either of the following
methods:
* File Server for general use.
This is the continuation of the clustered file server that has been supported in Windows
Server since the introduction of Failover Clustering. This type of clustered file server, and
therefore all the shares associated with the clustered file server, is online on one node at a
time. This is sometimes referred to as active-passive or dual-active. File shares associated
with this type of clustered file server are called clustered file shares. This is the
recommended file server type when deploying information worker scenarios.
* Scale-Out File Server for application data

This clustered file server feature was introduced in Windows Server 2012, and it lets you
store server application data, such as Hyper-V virtual machine files, on file shares, and
obtain a similar level of reliability, availability, manageability, and high performance that you
would expect from a storage area network. All file shares are simultaneously online on all
nodes. File shares associated with this type of clustered file server are called scale-out file
shares. This is sometimes referred to as active-active. This is the recommended file server
type when deploying either Hyper-V over Server Message Block (SMB) or Microsoft SQL
Server over SMB.
Reference: Scale-Out File Server for Application Data Overview

The domain contains a domain controller named DC1 that is configured as an enterprise
root certification authority (CA).
All users in the domain are issued a smart card and are required to log on to their domain-
joined client computer by using their smart card.
A user named User1 resigned and started to work for a competing company.
You need to prevent User1 immediately from logging on to any computer in the domain.
The solution must not prevent other users from logging on to the domain.

B. Server Manager
C. The Certificates snap-in
D. Active Directory Administrative Center
Answer: D
Explanation:
To disable or enable a user account using Active Directory Administrative Center

1. To open Active Directory Administrative Center, click Start, click Administrative Tools,
and then click Active Directory Administrative Center .
To open Active Directory Users and Computers in Windows Server 2012, click Start, type
dsac.exe.
2. In the navigation pane, select the node that contains the user account whose status you
want to change.
3. In the management list, right-click the user whose status you want to change.
4. Depending on the status of the user account, do one of the following:
✑ uk.co.certification.simulator.questionpool.PList@d423de0

Reference: Disable or Enable a User Account
2012 R2.
You add two additional nodes to Cluster1.
You have a folder named Folder1 on Server1 that contains Application data.
You plan to provide continuously available access to Folder1.
You need to ensure that all of the nodes in Cluster1 can actively respond to the client
requests for Folder1.
A. Affinity-None
B. Affinity-Single
H. Live migration
K. Quick migration
Answer: L
Explanation:

Scale-Out File Server is a feature that is designed to provide scale-out file shares that are
continuously available for file-based server application storage. Scale-out file shares
provides the ability to share the same folder from multiple nodes of the same cluster.
Note: You can deploy and configure a clustered file server by using either of the following
methods:
* Scale-Out File Server for Application data (Scale-Out File Server)
* File Server for general use
Scale-Out File Server for Application data (Scale-Out File Server) This clustered file server
is introduced in Windows Server 2012 R2 and lets you store server Application data, such
as Hyper-V virtual machine files, on file shares, and obtain a similar level of reliability,
availability, manageability, and high performance that you would expect from a storage
area network. All file shares are online on all nodes simultaneously. File shares associated
with this type of clustered file server are called scale-out file shares. This is sometimes
referred to as active-active.
Reference: Scale-Out File Server for Application Data Overview
2012 R2.
servers are configured as nodes in an NLB cluster named Cluster1.
Port rules are configured for all clustered Applications.
You need to ensure that Server2 handles all client requests to the cluster that are NOT
covered by a port rule.

A. Affinity-None
B. Affinity-Single
H. Live migration
K. Quick migration
Answer: G
Explanation:
Host Priorities
Each cluster host is assigned a unique host priority in the range of 1 to 32, where lower
numbers denote higher priorities. The host with the highest host priority (lowest numeric
value) is called the default host. It handles all client traffic for the virtual IP addresses that is
not specifically intended to be load-balanced. This ensures that server applications not
configured for load balancing only receive client traffic on a single host. If the default host
fails, the host with the next highest priority takes over as default host.
Reference: Network Load Balancing Technical Overview
http://technet.microsoft.com/en-us/library/bb742455.aspx
You have a server named FS1 that runs Windows Server 2012 R2.
You install the File and Storage Services server role on FS1.
From Windows Explorer, you view the properties of a shared folder named Share1 and you
discover that the Classification tab is missing.
You need to ensure that you can assign classifications to Share1 from Windows Explorer

manually.
What should you do?
A. From Folder Options, select Show hidden files, folders, and drives.
B. From Folder Options, clear Use Sharing Wizard (Recommend).
C. Install the File Server Resource Manager role service.
D. Install the Enhanced Storage feature.
Answer: C
Explanation:
On the Classification tab of the file properties in Windows Server 2012, File Classification
Infrastructure adds the ability to manually classify files. You can also classify folders so that
any file added to the classified folder will inherit the classifications of the parent folder.
Reference: What's New in File Server Resource Manager in Windows Server
Server1 contains a file share that must be accessed by only a limited number of users.
You need to ensure that if an unauthorized user attempts to access the file share, a custom
access-denied message appears, which contains a link to request access to the share. The
message must not appear when the unauthorized user attempts to access other shares.
Which two nodes should you configure in File Server Resource Manager?
To answer, select the appropriate two nodes in the answer area.

Answer:
Explanation:

* Configure access-denied assistance

To configure access-denied assistance by using File Server Resource Manager
1. Open File Server Resource Manager. In Server Manager, click Tools, and then click File
Server Resource Manager.
2. Right-click File Server Resource Manager (Local), and then click Configure Options.
etc.
* To specify a separate access-denied message for a shared folder by using File Server
Resource Manager
1. Open File Server Resource Manager. In Server Manager, click Tools, and then click File
Server Resource Manager.
2. Expand File Server Resource Manager (Local), and then click Classification
Management.
3. Right-click Classification Properties, and then click Set Folder Management Properties.
Etc

Your network contains two Active Directory forests named contoso.com and
corp.contoso.com.
User1 is a member of the DnsAdmins domain local group in contoso.com.
User1 attempts to create a conditional forwarder to corp.contoso.com but receive an error

message shown in the exhibit. (Click the Exhibit button.)

You need to configure bi-directional name resolution between the two forests.
A. Add User1 to the DnsUpdateProxy group.

B. Configure the zone to be Active Directory-integrated.
C. Enable the Advanced view from DNS Manager.
D. Run the New Delegation Wizard.
Answer: B
Explanation:
The zone must be Active Directory-integrated.
contains three servers named Server1, Server2, and Server3 that run Windows Server
2012 R2. All three servers have the Hyper-V server role installed and the Failover
Clustering feature installed.
Server1 and Server2 are nodes in a failover cluster named Cluster1. Several highly
available virtual machines run on Cluster1. Cluster1 has the Hyper-V Replica Broker role
installed. The Hyper-V Replica Broker currently runs on Server1.
Server3 currently has no virtual machines.
You need to configure Cluster1 to be a replica server for Server3 and Server3 to be a
replica server for Cluster1.
Which two tools should you use? (Each correct answer presents part of the solution.
Choose two.)
A. The Hyper-V Manager console connected to Server3

B. The Failover Cluster Manager console connected to Server3
C. The Hyper-V Manager console connected to Server1.
D. The Failover Cluster Manager console connected to Cluster1

E. The Hyper-V Manager console connected to Server2
Answer: A,D
Explanation:
A. To configure the Replica server [on a server that is not part of a cluster which in this
case is Server3]
Etc.
D. To configure a Replica server that is part of a failover cluster.

1. In Server Manager, open Failover Cluster Manager.
2. In the left pane, connect to the cluster, and while the cluster name is highlighted, click
Roles in the Navigate category of the Details pane.
3. Right-click the role and choose Replication Settings.
4. In the Details pane, select Enable this cluster as a Replica server.
Etc.
Reference: Deploy Hyper-V Replica , Step 2: Enable Replication

Scope1, Scope2, and Scope3 are configured to assign the IP addresses of two DNS
servers to DHCP clients. The remaining scopes are NOT configured to assign IP
addresses of DNS servers to DHCP clients.
You need to ensure that only Scope1, Scope3, and Scopes assign the IP addresses of the
DNS servers to the DHCP clients. The solution must minimize administrative effort.
What should you do?
A. Create a superscope and a filter.

B. Create a superscope and scope-level policies.
C. Configure the Server Options.
D. Configure the Scope Options.
Answer: D
Explanation:
Scope options are applied to any clients that obtain a lease within that particular scope.
Active scope option types always apply to all computers obtaining a lease in a given scope
unless they are overridden by class or reserved client settings for the option type.

Incorrect:
Not A, not B. A superscope allows a DHCP server to provide leases from more than one
scope to clients on a single physical network. It is not applicable here.
Not C. If we configure the Server Options and set the DNS Servers then all DHCP clients
would be assigned a DNS server.
Reference: Managing DHCP Options
https://technet.microsoft.com/en-us/library/cc958929.aspx
contains a file server named File1 that runs a Server Core Installation of Windows Server
2012 R2.
File1 has a volume named D that contains home folders. File1 creates a shadow copy of
volume D twice a day.
You discover that volume D is almost full.
You add a new volume named H to File1.
You need to ensure that the shadow copies of volume D are stored on volume H.
Which command should you run?
A. The Set-Volume cmdlet with the -driveletter parameter

B. The vssadmin.exe create shadow command
C. The Set-Volume cmdlet with the -path parameter
D. The vssadmin.exe add shadowstorage command
Answer: D
Explanation:
Add ShadowStorage

Adds a shadow copy storage association for a specified volume.
Incorrect:
Not A. Sets or changes the file system label of an existing volume. -DriveLetter Specifies a
letter used to identify a drive or volume in the system.
Not B. Create Shadow
Creates a new shadow copy of a specified volume.
Not C. Sets or changes the file system label of an existing volume -Path Contains valid
path information.
Reference: Vssadmin; Set-Volume
contains four member servers named Server1, Server2, Server3, and Server4. All servers
Server1 and Server3 are located in a site named Site1. Server2 and Server4 are located in
a site named Site2. The servers are configured as nodes in a failover cluster named
Cluster1.
Dynamic quorum management is disabled.
Cluster1 is configured to use the Node Majority quorum configuration.
You need to ensure that users in Site2 can access Cluster1 if the network connection
between the two sites becomes unavailable.
What should you run from Windows PowerShell?
To answer, drag the appropriate commands to the correct location. Each command may be

Answer:
Explanation:
NodeWeight settings are used during quorum voting to support disaster recovery and multi-
subnet scenarios for AlwaysOn Availability Groups and SQL Server Failover Cluster
Instances.
Example (Powershell)
The following example changes the NodeWeight setting to remove the quorum vote for the
“AlwaysOnSrv1” node.
Import-Module FailoverClusters
$node = “AlwaysOnSrv1”
(Get-ClusterNode $node).NodeWeight = 0
Each forest contains an Active Directory Rights Management Services (AD RMS) root

cluster. All servers run Windows Server 2012 R2.
You need to ensure that the rights account certificates issued in adatum.com are accepted
by the AD RMS root cluster in contoso.com.
What should you do in each forest?
To answer, drag the appropriate actions to the correct forests. Each action may be used
once, more than once, or not at all. You may need to drag the split bar between panes or
scroll to view content.
Answer:
Explanation:
A trusted user domain, often referred as a TUD, is a trust between AD RMS clusters that
instructs a licensing server to accept rights account certificates (the certificates identifying
users) from another AD RMS server in a different Active Directory forest. An AD RMS trust
is not the same as an Active Directory trust, but it is similar in that it refers to the ability of

one environment to accept identities from another environment as valid subjects.
Illustration:
fc8d52c8-a2d8-4584-be1d-99e67989a944
Your company has a main office and a branch office. The main office is located in Detroit.
The branch office is located in Seattle.
The network contains an Active Directory domain named adatum.com. Client computers
run either Windows 7 Enterprise or Windows 8 Enterprise.
The main office contains 1,000 client computers and 50 servers. The branch office contains
20 client computers.
All computer accounts for the branch office are located in an organizational unit (OU)
named SeattleComputers. A Group Policy object (GPO) named GPO1 is linked to the
SeattleComputers OU.
You need to configure BranchCache for the branch office.

Answer:
Explanation:
* BranchCache is disabled by default on client computers. Take the following steps to

enable BranchCache on client computers:
✑ Turn on BranchCache.
✑ Enable either Distributed Cache mode or Hosted Cache mode.
✑ Configure the client firewall to enable BranchCache protocols.
* Distributed Cache mode

If client computers are configured to use Distributed Cache mode, the cached content is
distributed among client computers on the branch office network. No infrastructure or
services are required in the branch office beyond client computers running Windows 7.
Hosted Cache mode

In hosted cache mode, cached content is maintained on a computer running Windows
Server 2008 R2 on the branch office network.
You have a server named Server1 that runs Windows Server 2012 R2. Server1 is located
in the perimeter network and has the DNS Server server role installed.
Server1 has a zone named contoso.com.
You App1y a security template to Server1.
After you App1y the template, users report that they can no longer resolve names from
contoso.com.
On Server1, you open DNS Manager as shown in the DNS exhibit. (Click the Exhibit
button.)

On Server1, you open Windows Firewall with Advanced Security as shown in the Firewall
exhibit. (Click the Exhibit button.)
You need to ensure that users can resolve contoso.com names.
What should you do?
A. From Windows Firewall with Advanced Security, disable the DNS (TCP, Incoming) rule
and the DNS (UDP, Incoming) rule.
B. From DNS Manager, modify the Zone Transfers settings of the contoso.com zone.
C. From DNS Manager, unsign the contoso.com zone.
D. From DNS Manager, modify the Start of Authority (SOA) of the contoso.com zone.
E. From Windows Firewall with Advanced Security, modify the profiles of the DNS (TCP,
Incoming) rule and the DNS (UDP, Incoming) rule.
Answer: E
Explanation:
To configure Windows Firewall on a managed DNS server

✑ On the Server Manager menu, click Tools and then click Windows Firewall with
Advanced Security.
✑ Right-click Inbound Rules, and then click New Rule. The New Inbound Rule
Wizard will launch.
✑ In Rule Type, select Predefined, choose DNS Service from the list, and then click
Next.
✑ In Predefined Rules, under Rules, select the checkboxes next to the following
rules:
✑ Click Next, choose Allow the connection, and then click Finish.
✑ Right-click Inbound Rules, and then click New Rule. The New Inbound Rule
Wizard will launch.
etc.
Reference: Manually Configure DNS Access Settings

contains two servers named Server1 and Server2 that run Windows Server 2012 R2. The
servers have the Hyper-V server role installed.
A certification authority (CA) is available on the network.
A virtual machine named vml.contoso.com is replicated from Server1 to Server2. A virtual

machine named vm2.contoso.com is replicated from Server2 to Server1.
You need to configure Hyper-V to encrypt the replication of the virtual machines.
Which common name should you use for the certificates on each server?
To answer, configure the appropriate common name for the certificate on each server in
the answer area.

Answer:
Explanation:

Hyper-V Replica Certificate Requirements

If you want to use HTTPS, then you will need to create certificates for the hosts/clusters in
both the primary and secondary sites.
Your network contains an Active Directory domain named contoso.com. The network
contains a file server named Server1 that runs Windows Server 2012 R2.
You are configuring a central access policy for temporary employees.
You enable the Department resource property and assign the property a suggested value
of Temp.
You need to configure a target resource condition for the central access rule that is scoped
to resources assigned to Temp only.
Which condition should you use?

A. (Temp.Resource Equals "Department")
B. (Resource.Temp Equals "Department")
C. (Resource.Department Equals "Temp")
D. (Department.Value Equals "Temp")
Answer: C
Explanation:
Example:
Targeting: Resource.Department Contains Finance
Access rule: Allow read User.Country=Resource.Country AND User.department =
Resource.Department
Reference: Deploy a Central Access Policy (Demonstration Steps)
2012 R2. Server1 and Server2 are configured as shown in the following table.
You need to ensure that when new targets are added to Server1, the targets are registered
on Server2 automatically.
A. Configure the Discovery settings of the iSCSI initiator.

B. Configure the security settings of the iSCSI target.
C. Run the Set-WmiInstance cmdlet.
D. Run the Set-IscsiServerTarget cmdlet.
Answer: C

Explanation:
Manage iSNS server registration
The iSNS server registration can be done using the following cmdlets, which manages the
WMI objects.
To add an iSNS server:
Set-WmiInstance -Namespace root\wmi -Class WT_iSNSServer –Arguments
@{ServerName="ISNSservername"}
Note: The Set-WmiInstance cmdlet creates or updates an instance of an existing WMI

class. The created or updated instance is written to the WMI repository.
Reference: iSCSI Target cmdlet reference
http://blogs.technet.com/b/filecab/archive/2012/06/08/iscsi-target-cmdlet-reference.aspx
You have two failover clusters named Cluster1 and Cluster2. All of the nodes in both of the
clusters run Windows Server 2012 R2.
Cluster1 hosts two virtual machines named VM1 and VM2.
You plan to configure VM1 and VM2 as nodes in a new failover cluster named Cluster3.
You need to configure the witness disk for Cluster3 to be hosted on Cluster2.
To answer, move the appropriate three actions from the list of actions to the answer area

Answer:
Explanation:
Note:
* Use the Create Clustered File Server Wizard
When you create a Scale-Out File Server Cluster from existing servers, the Create

Clustered File Server
Wizard does the following:
1. Enables the file server role on the computers (box 1)
2. Enables the Scale-Out File Server role on the cluster (box 2)
3. Adds the provisioned computers as a Scale-Out File Server cluster under VMM
management
* VMM provides support for the Microsoft iSCSI Software Target by using an SMI-S
provider. Microsoft iSCSI is now fully integrated into Windows Server 2012.
* Scale-Out File Server-- As of System Center 2012 R2, VMM can create a Scale-Out File
Server and manage its storage.
You have a zone named adatum.com as shown in the exhibit. (Click the Exhibit button.)

What should you do?
A. Change the zone type.

B. Sign the zone.
C. Add a DNSKEY record.
Answer: D

Explanation:
Name protection requires secure update to work. Without name protection DNS names
may be hijacked.
You can use the following procedures to allow only secure dynamic updates for a zone.
Secure dynamic update is supported only for Active Directory–integrated zones. If the zone
type is configured differently, you must change the zone type and directory-integrate the
zone before securing it for Domain Name System (DNS) dynamic updates.
Enable secure dynamic updates:
Reference: DHCP: Secure DNS updates should be configured if Name Protection is

enabled on any IPv4 scope
Your network contains two Active Directory forests named contoso.com and litwareinc.com.
A two-way forest trusts exists between the forest. Selective authentication is enabled on
the trust.
The contoso.com forest contains a server named Server1.
You need to ensure that users in litwareinc.com can access resources on Server1.
What should you do?
A. Install Active Directory Rights Management Services on a domain controller in

contoso.com.
B. Modify the permission on the Server1 computer account.
C. Install Active Directory Rights Management Services on a domain controller in
litwareinc.com.
D. Configure SID filtering on the trust.
Answer: B
Explanation:
Selective authentication between forests

If you decide to set selective authentication on an incoming forest trust, you need to
manually assign permissions on each computer in the domain as well as the resources to
which you want users in the second forest to have access. To do this, set a control access
right Allowed to authenticate on the computer object that hosts the resource in Active
Directory Users and Computers in the second forest. Then, allow user or group access to
the particular resources you want to share.
Reference: Accessing resources across forests

2012 R2.
You add two additional nodes to Cluster1. You need to ensure that Cluster1 stops running
if three nodes fail.
A. Affinity-None
B. Affinity-Single
H. Live migration
K. Quick migration
Answer: C
Explanation:
The quorum configuration in a failover cluster determines the number of failures that the
cluster can sustain.
Reference: Understanding Quorum Configurations in a Failover Cluster

Information and details provided in a question App1y only to that question.
2012 R2.
servers are configured as nodes in an NLB cluster named Cluster1.
Cluster1 hosts a secure web Application named WebApp1. WebApp1 saves user state
information locally on each node.
You need to ensure that when users connect to WebApp1, their session state is
maintained.
A. Affinity-None
B. Affinity-Single
H. Live migration
K. Quick migration
Answer: B
Explanation:
Client Affinity
NLB offers three types of client affinity to minimize response time to clients and provide
generic support for preserving session state. Each affinity specifies a different method for
distributing client requests.
Affinity Single: Single

Multiple requests from the same client must access the same member; useful for clusters

within an intranet.
This affinity provides the best support for clients that use sessions on an intranet. These
clients cannot use No affinity because their sessions could be disrupted.
Incorrect:
Not A. Affinity none: Multiple requests from the same client can access any member; useful
for clusters that do not store session state information on individual members.
Reference: Using NLB
two domains named contoso.com and childl.contoso.com. The domains contain three
domain controllers. The domain controllers are configured as shown in the following table.
You need to ensure that the KDC support for claims, compound authentication, and
kerberos armoring setting is enforced in both domains.
Choose two.)
A. Raise the domain functional level of contoso.com.

B. Raise the domain functional level ofchildl.contoso.com.

C. Raise the forest functional level of contoso.com.
D. Upgrade DC11 to Windows Server 2012 R2.
E. Upgrade DC1 to Windows Server 2012 R2.
Answer: A,E
Explanation:
The root domain in the forest must be at Windows Server 2012 level. First upgrade DC1 to
this level (E), then raise the contoso.com domain functional level to Windows Server 2012
(A).
* (E) To support resources that use claims-based access control, the principal’s domains
will need to be running one of the following:
/ All Windows Server 2012 domain controllers.
/ Sufficient Windows Server 2012 domain controllers to handle all the Windows 8 device
authentication requests.
/ Sufficient Windows Server 2012 domain controllers to handle all the Windows Server
2012 resource protocol transition requests to support non-Windows 8 devices.
Reference: What's New in Kerberos Authentication
http://technet.microsoft.com/en-us/library/hh831747.aspx.
contains a server named Server1 that runs Windows Server 2012 R2. Server1 is an
enterprise root certification authority (CA) for contoso.com.
Your user account is assigned the certificate manager role and the auditor role on the
contoso.com CA. Your account is a member of the local Administrators group on Server1.
You enable CA role separation on Server1.
You need to ensure that you can manage the certificates on the CA.
What should you do?

A. Remove your user account from the local Administrators group.
B. Assign the CA administrator role to your user account.
C. Assign your user account the Bypass traverse checking user right.
D. Remove your user account from the Manage auditing and security log user right.
Answer: D
Explanation:
The separation of CA roles can be enforced using role separation. Once enforced, role
separation only allows a user to be assigned a single role. If a user is assigned to more
than one role and attempts to perform an operation on the CA, the operation is denied. For
this reason, before role separation is enabled, a user should be assigned only one CA role.
Reference: Role Separation
You deploy an Active Directory Federation Services (AD FS) 2.1 infrastructure. The
infrastructure uses Active Directory as the attribute store.
Some users report that they fail to authenticate to the AD FS infrastructure.
You discover that only users who run third-party web browsers experience issues.
You need to ensure that all of the users can authenticate to the AD FS infrastructure
successfully.
Which Windows PowerShell command should you run?
A. Set-ADFSProperties -ProxyTrustTokenLifetime 1:00:00

B. Set-ADFSProperties -AddProxyAuthenticationRules None
C. Set-ADFSProperties -SSOLifetime 1:00:00
D. Set-ADFSProperties -ExtendedProtectionTokenCheck None
Answer: D
Explanation:

Certain client browser software, such as Firefox, Chrome, and Safari, do not support the
Extended Protection for Authentication capabilities that can be used across the Windows
platform to protect against man-in-the-middle attacks. To prevent this type of attack from
occurring over secure AD FS communications, AD FS 2.0 enforces (by default) that all
communications use a channel binding token (CBT) to mitigate against this threat.
Note: Disable the extended Protection for authentication

To disable the Extended Protection for Authentication feature in AD FS 2.0
✑ On a federation server, login using the Administrator account, open the Windows
PowerShell command prompt, and then type the following command:
Set-ADFSProperties –ExtendedProtectionTokenCheck None
✑ Repeat this step on each federation server in the farm.
Reference: Configuring Advanced Options for AD FS 2.0
Your company has a main office and a branch office. An Active Directory site exists for
each office.
The network contains an Active Directory forest named contoso.com. The contoso.com
domain contains three member servers named Server1, Server2, and Server3. All servers
In the main office, you configure Server1 as a file server that uses BranchCache.
In the branch office, you configure Server2 and Server3 as BranchCache hosted cache
servers.
You are creating a Group Policy for the branch office site.
Which two Group Policy settings should you configure?
To answer, select the appropriate two settings in the answer area.

Answer:
Explanation:

To use Group Policy to configure clients for hosted cache mode

Step x: In the Turn on BranchCache dialog box, click Enabled, and then click OK.
Step x+1: In the Group Policy Management Editor console, ensure that BranchCache is still
selected, and then in the details pane double-click Set BranchCache Hosted Cache mode.
The Set BranchCache Hosted Cache mode dialog box opens.
2008 R2. Server1 and Server2 are nodes in a failover cluster named Cluster1. The network
contains two servers named Server3 and Server4 that run Windows Server 2012 R2.
Server3 and Server4 are nodes in a failover cluster named Cluster2.
You need to move all of the applications and the services from Cluster1 to Cluster2.
What should you do first from Failover Cluster Manager?
A. On a server in Cluster2, configure Cluster-Aware Updating.

B. On a server in Cluster2, click Move Core Cluster Resources, and then click Best
Possible Node.
C. On a server in Cluster1, click Move Core Cluster Resources, and then click Best

Possible Node.
D. On a server in Cluster1, click Migrate Roles.
Answer: D
Explanation:
Incorrect:
Not A. Cluster Aware Updating can greatly simplify the process of applying operating
system patches to Windows Server 2012 or 2012 R2 failover cluster nodes.
Not B. Not C. Move Core Cluster Resources is used to resources from one node to another
within the same cluster.
Reference: Migrating Clustered Services and Applications to Windows Server 2012,

Migration Between Two Multi-Node Clusters
https://technet.microsoft.com/en-us/library/dn486774.aspx#BKMK_Steps_for_migrating
Server1 has a single volume that is encrypted by using BitLocker Drive Encryption

(BitLocker).
BitLocker is configured to save encryption keys to a Trusted Platform Module (TPM).

Server1 is configured to perform a daily system image backup.
The motherboard on Server1 is upgraded.
After the upgrade, Windows Server 2012 R2 on Server1 fails to start.
You need to start the operating system on Server1 as soon as possible.
What should you do?
A. Start Server1 from the installation media. Run startrec.exe.

B. Move the disk to a server that has a model of the old motherboard. Start the server from
the installation media. Run bcdboot.exe.
C. Move the disk to a server that has a model of the old motherboard. Start the server. Run
tpm.msc.
D. Start Server1 from the installation media. Perform a system image recovery.
Answer: C
Explanation:
By moving the hard drive to server with that has a model of the old motherboard the system
would be able to start. As BitLocker was configured to save encryption keys to a Trusted
Platform Module (TPM), we can use tpm.msc to access the TPM settings.
Note: After you replaced the motherboard, you need to repopulate the TPM with new
information regarding the encryption of the hard disk.
We use these commands to repopulate the information in the TPM (without PIN):
manage-bde –delete -protectors C: -type TPM
manage-bde –protectors –add C: -tpm
Incorrect:
Not D. After the system image recovery you would still have the new motherboard installed.
The problem would return.
Reference: BitLocker - New motherboard replacement

Server server role installed. Server1 has an IPv6 scope named Scope1.
You implement an additional DHCP server named Server2 that runs Windows Server 2012
R2.
You need to provide high availability for Scope1. The solution must minimize administrative
effort.
What should you do?
A. Install and configure Network Load Balancing (NLB) on Server1 and Server2.
B. Create a scope on Server2.
C. Configure DHCP failover on Server1.
D. Install and configure Failover Clustering on Server1 and Server2.
Answer: C
Explanation:
Overview: Configure DHCP failover using the DHCP console

To configure DHCP failover using the DHCP console, right-click a DHCP scope or right-
click IPv4 and then click Configure Failover.
Configure Failover

The Configure Failover wizard guides you through configuring DHCP failover on the
selected scope.
Note: The DHCP server failover feature, available in Windows Server 2012 and later,
provides the ability to have two DHCP servers provide IP addresses and option
configuration to the same subnet or scope, providing for continuous availability of DHCP
service to clients.
Incorrect:
Not A. NLB is not related to DHCP scope availability.
Not B. DHCP failover requirements include:
DHCP Scopes requirement:
At least one IPv4 DHCP scope must be configured on the primary DHCP server.
The same DHCP scope ID, or an overlapping scope, must not be configured on the failover
partner.
Not D. Failover clustering is possibly, but would not minimize administration.
Reference: Deploy DHCP Failover
Your company recently deployed a new Active Directory forest named contoso.com. The
forest contains two Active Directory sites named Site1 and Site2. The first domain
controller in the forest runs Windows Server 2012 R2.
You need to force the replication of the SYSVOL folder from Site1 to Site2.
A. Active Directory Sites and Services

B. DFS Management
C. Repadmin
D. Dfsrdiag
Answer: D
Explanation:

In Windows Server 2012 R2, Windows Server 2008 R2, or Windows Server 2008, you can
force replication immediately by using DFS Management, as described in Edit Replication
Schedules. You can also force replication by using the Dfsrdiag SyncNow command. You
can force polling by using the Dfsrdiag PollAD command.
Reference: DFS Replication: Frequently Asked Questions (FAQ)
http://technet.microsoft.com/en-us/library/cc773238(v=ws.10).aspx#BKMK_072
Your network contains two servers that run Windows Server 2012 R2 named Server1 and
Server2. Both servers have the File Server role service installed.
On Server2, you create a share named Backups.
From Windows Server Backup on Server1, you schedule a full backup to run every night.
You set the backup destination to \\Server2 \Backups.
After several weeks, you discover that \\Server2\Backups only contains the last backup that
completed on Server1.
You need to ensure that multiple backups of Server1 are maintained.
What should you do?
A. Modify the Volume Shadow Copy Service (VSS) settings.

B. Modify the properties of the Windows Store Service (WSService) service.
C. Change the backup destination.
D. Configure the permission of the Backups share.
Answer: C
Explanation:
The destination in the exhibit shows a network share is used. If a network share is being
used only the latest copy will be saved.

Reference: Where should I save my backup?
http://windows.microsoft.com/en-us/windows7/where-should-i-save-my-backup
Your network contains an Active Directory forest. The forest contains one domain named
adatum.com. The domain contains three domain controllers. The domain controllers are
configured as shown in the following table.

DC2 has all of the domain-wide operations master roles. DC3 has all of the forest-wide
operation master roles.
You need to ensure that you can use Password Settings objects (PSOs) in the domain.
A. Uninstall Active Directory from DC1.

B. Change the domain functional level.
C. Transfer the domain-wide operations master roles.
D. Transfer the forest-wide operations master roles.
Answer: A
Explanation:
In Windows Server 2008 and later, you can use fine-grained password policies to specify
multiple password policies and apply different password restrictions and account lockout
policies to different sets of users within a single domain.
Note: In Microsoft Windows 2000 and Windows Server 2003 Active Directory domains, you
could apply only one password and account lockout policy, which is specified in the
domain's Default Domain Policy, to all users in the domain. As a result, if you wanted
different password and account lockout settings for different sets of users, you had to either
create a password filter or deploy multiple domains. Both options were costly for different
reasons.
Reference: AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step

Guide
Your network contains an Active Directory domain named adatum.com. The domain
contains two domain controllers that run Windows Server 2012 R2. The domain controllers
are configured as shown in the following table.
You log on to DC1 by using a user account that is a member of the Domain Admins group,
and then you create a new user account named User1.
You need to prepopulate the password for User1 on DC2.
A. Connect to DC2 from Active Directory Users and Computers.

B. Add DC2 to the Allowed RODC Password Replication Policy group.
C. Add the User1 account to the Allowed RODC Password Replication Policy group.
D. Run Active Directory Users and Computers as a member of the Enterprise Admins
group.
Answer: D
Explanation:
To prepopulate the password cache for an RODC by using Active Directory Users and
Computers (see step 1 below).
Administrative credentials: To prepopulate the password cache for an RODC, you must be
a member of the Domain Admins group.
✑ Click Start, click Administrative Tools, and then click Active Directory Users and
Computers.
✑ Ensure that Active Directory Users and Computers points to the writable domain
controller that is running Windows Server 2008, and then click Domain Controllers.
✑ In the details pane, right-click the RODC computer account, and then click
Properties.
✑ Click the Password Replication Policy tab.
✑ Click Advanced.
✑ Click Prepopulate Passwords.
✑ Type the name of the accounts whose passwords you want to prepopulate in the
cache for the RODC, and then click OK.
✑ When you are asked if you want to send the passwords for the accounts to the

RODC, click Yes.
Note: You can prepopulate the password cache for an RODC with the passwords of user
and computer accounts that you plan to authenticate to it. When you prepopulate the
RODC password cache, you trigger the RODC to replicate and cache the passwords for
users and computers before the accounts try to log on in the branch office.
Incorrect:
Not C. You don't need to add User1 to the Allowed RODC Password Replication Policy
group. As a first step you should run Active Directory Users and Computers as a member
of the Domain/Enterprise Admins group.-
Reference: Password Replication Policy Administration
http://technet.microsoft.com/en-us/library/cc753470(v=ws.10).aspx#BKMK_pre
You have a datacenter that contains six servers. Each server has the Hyper-V server role
installed and runs Windows Server 2012 R2. The servers are configured as shown in the
following table.
Host4 and Host5 are part of a cluster named Cluster1. Cluster1 hosts a virtual machine
named VM1.
You need to move VM1 to another Hyper-V host. The solution must minimize the downtime
of VM1.

To which server and by which method should you move VM1?
A. To Host3 by using a storage migration

B. To Host6 by using a storage migration
C. To Host2 by using a live migration
D. To Host1 by using a quick migration
Answer: A
Explanation:
With Hyper-V live migration, you can move running VMs from one Hyper-V physical host to
another without any disruption of service or perceived downtime.
Host3 has an Intel processer, as does Host4 and Host5 in Cluster1, so the migration will
work fine.
Incorrect:
Not B, not C. The migration of a virtual machine between physical computers is only
supported on computers that have the same processor steppings or are from the same
vendor. Therefore you cannot move a virtual machine from a Hyper-V host on an Intel-
based server to a Hyper-V Host on an AMD-based server.
Not D. Quick Migration saves, moves and restores VMs, which results in some downtime.
Reference: Hyper-V Migration Guide
http://technet.microsoft.com/en-us/library/ee849855(v=WS.10).aspx
Reference: Virtual Machine Storage Migration Overview
Reference: Windows Server 2008 R2 & Microsoft Hyper-V Server 2008 R2 - Hyper-V Live
Migration Overview & Architecture (http://www.microsoft.com/en-
us/download/details.aspx?id=12601)

contains two member servers named Server1 and Server2.
You install the DHCP Server server role on Server1 and Server2. You install the IP
Address Management (IPAM) Server feature on Server1.
You notice that you cannot discover Server1 or Server2 in IPAM.
You need to ensure that you can use IPAM to discover the DHCP infrastructure.
Choose two.)
A. On Server2, create an IPv4 scope.

B. On Server1, run the Add-IpamServerInventory cmdlet.
C. On Server2, run the Add-DhcpServerInDc cmdlet
D. On both Server1 and Server2, run the Add-DhcpServerv4Policy cmdlet.
E. On Server1, uninstall the DHCP Server server role.
Answer: B,C
Explanation:
B. The Add-IpamServerInventory cmdlet adds a new infrastructure server to the IP Address

Management (IPAM) server inventory. Use the fully qualified domain name (FQDN) of the
server to add to the server inventory.
C. The Add-DhcpServerInDC cmdlet adds the computer running the DHCP server service
to the list of authorized Dynamic Host Configuration Protocol (DHCP) server services in the
Active Directory (AD). A DHCP server service running on a domain joined computer needs
to be authorized in AD so that it can start leasing IP addresses on the network.
Reference: Add-IpamServerInventory; Add-DhcpServerInDC
contains two sites named Site1 and Site2 and two domain controllers named DC1 and
DC2. Both domain controllers are located in Site1.

You install an additional domain controller named DC3 in Site1 and you ship DC3 to Site2.
A technician connects DC3 to Site2.
You discover that users in Site2 are authenticated by all three domain controllers.
You need to ensure that the users in Site2 are authenticated by DC1 or DC2 only if DC3 is
unavailable.
What should you do?
A. From Network Connections, modify the IP address of DC3.

B. In Active Directory Sites and Services, modify the Query Policy of DC3.
C. From Active Directory Sites and Services, move DC3.
D. In Active Directory Users and Computers, configure the insDS-PrimaryComputer
attribute for the users in Site2.
Answer: C
Explanation:
DC3 needs to be moved to Site2 in AD DS
Incorrect:
Not A. Modifying IP will not affect authentication
Not B. A query policy prevents specific Lightweight Directory Access Protocol (LDAP)
operations from adversely impacting the performance of the domain controller and also
makes the domain controller more resilient to denial-of-service attacks.
Reference: Move a domain controller between sites
contains a server named Server1 that runs a Server Core installation of Windows Server
2012 R2.

You need to deploy a certification authority (CA) to Server1. The CA must support the auto-
enrollment of certificates.
Which two cmdlets should you run? (Each correct answer presents part of the solution.
Choose two.)
A. Add-CAAuthoritylnformationAccess
B. Install-AdcsCertificationAuthority
C. Add-WindowsFeature
D. Install-AdcsOnlineResponder
E. Install-AdcsWebEnrollment
Answer: B,E
Explanation:
Explanation
B. The Install-AdcsCertificationAuthority cmdlet performs installation and configuration of
the AD CS CA role service. It can be used to install a root CA.
Example:
Install-AdcsCertificationAuthority –CAType StandaloneRootCA –CACommonName
"ContosoRootCA" –KeyLength 2048 –HashAlgorithm SHA1 –CryptoProviderName
"RSA#Microsoft Software Key Storage Provider"
E: The Install-AdcsWebEnrollment cmdlet performs initial installation and configuration of

the Certification Authority Web Enrollment role service.
Note: Prior to the availability of Certificate Enrollment Web Services, AD CS required that
client computers configured for certificate auto-enrollment be connected directly to the
corporate network. Certificate Enrollment Web Services allows organizations to enable AD
CS using a perimeter network. This allows users and computers outside the corporate
network to enroll for certificates.

Certificate Enrollment web service
Reference: Deploying AD CS Using Windows PowerShell
Your network contains an Active Directory forest named contoso.com. All servers run
The domain contains four servers. The servers are configured as shown in the following
table.
You need to deploy IP Address Management (IPAM) to manage DNS and DHCP.
On which server should you install IPAM?
A. DC1
B. DC2
C. DC3
D. Server1
Answer: D

Explanation:
Explanaton:
IPAM cannot be installed on Domain Controllers. All servers, except Server1, have the DC
role
Reference: IP Address Management (IPAM) Overview
You are configuring a storage space on Server1.
You need to ensure that the storage space supports tiered storage.
Which settings should you configure?

Answer:
Explanation:

Disk Allocation: Automatic
* When using tiers, you must fixed provisioning.

http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-
components-weblogfiles/00-00-00-91-74/3201.Figure17.jpg
contains a server named Server1 that runs Windows Server 2012 R2.
You plan to install the Active Directory Federation Services server role on Server1 to allow
for Workplace Join.
You run nslookup enterprise registration and you receive the following results:

You need to create a certificate request for Server1 to support the Active Directory
Federation Services (AD FS) installation.
How should you configure the certificate request?
To answer, drag the appropriate names to the correct locations. Each name may be used
Answer:
Explanation:
Obtain a server SSL certificate from either a public certificate authority (CA) or from your
organization's PKI subordinate CA that is trusted by a public certificate authority.
The server SSL certificate must have the following certificate attributes to be used with
Workplace Join:
- Subject Name (CN): adfs1.contoso.com

- Subject Alternative Name (DNS): adfs1.contoso.com
- Subject Alternative Name (DNS): enterpriseregistration.contoso.com
Your network contains four Active Directory forests. Each forest contains an Active
Directory Rights Management Services (AD RMS) root cluster.
All of the users in all of the forests must be able to access protected content from any of
the forests.
You need to identify the minimum number of AD RMS trusts required.
How many trusts should you identify?
A. 3
B. 6
C. 12
D. 16
Answer: C
Explanation:
The number of AD RMS trusts required to interact between all AD RMS forests can be
defined by using the following formula: N*(N-1).
Here N=4, so the number of trust is 12 (4*3).
Reference: AD RMS Prerequisites, Important considerations for installing AD RMS in a

multi-forest environment
Your network contains three servers named Server1, Server2, and Server3. All servers run

You need to ensure that Server1 can provide iSCSI storage for Server2 and Server3.
A. Start the Microsoft iSCSI Initiator Service and configure the iSCSI Initiator Properties.
B. Install the iSNS Server service feature and create a Discovery Domain.
C. Install the Multipath I/O (MPIO) feature and configure the MPIO Properties.
D. Install the iSCSI Target Server role service and configure iSCSI targets.
Answer: D
Explanation:
iSCSI Target Server: The server runs the iSCSI Target. It is also the iSCSI Target role
name in Windows Server 2012.
Note:
iSCSI: it is an industry standard protocol allow sharing block storage over the Ethernet. The
server shares the storage is called iSCSI Target. The server (machine) consumes the
storage is called iSCSI initiator. Typically, the iSCSI initiator is an application server. For
example, iSCSI Target provides storage to a SQL server, the SQL server will be the iSCSI
initiator in this deployment.
Target: It is an object which allows the iSCSI initiator to make a connection. The Target
keeps track of the initiators which are allowed to be connected to it. The Target also keeps
track of the iSCSI virtual disks which are associated with it. Once the initiator establishes
the connection to the Target, all the iSCSI virtual disks associated with the Target will be
accessible by the initiator.

Your network contains an Active Directory forest. The forest contains two domains named
contoso.com and fabrikam.com. The functional level of the forest is Windows Server 2003.
You have a domain outside the forest named adatum.com.
You need to configure an access solution to meet the following requirements:
* Users in adatum.com must be able to access resources in contoso.com.
* Users in adatum.com must be prevented from accessing resources in fabrikam.com.
* Users in both contoso.com and fabrikam.com must be prevented from accessing

resources in adatum.com.
What should you create?
A. a one-way realm trust from contoso.com to adatum.com

B. a one-way realm trust from adatum.com to contoso.com
C. a one-way external trust from contoso.com to adatum.com
D. a one-way external trust from adatum.com to contoso.com
Answer: C
Explanation:
The contoso domain must trust the adatum domain.
Note: In a One-way: incoming trust, users in your (trusted) domain can be authenticated in
the other (trusting) domain. Users in the other domain cannot be authenticated in your
domain.
Incorrect:
Not A, not B. Use realm trusts to form a trust relationship between a non-Windows
Kerberos realm and a Windows Server domain.
Not D. The resources that are to be shared are in the contoso domain.
Reference: Trust types

Each forest contains one domain. Contoso.com has a two-way forest trust to adatum.com.
Selective authentication is enabled on the forest trust.
Contoso contains 10 servers that have the File Server role service installed. Users
successfully access shared folders on the file servers by using permissions granted to the
Authenticated Users group.
You migrate the file servers to adatum.com.
Contoso users report that after the migration, they are unable to access shared folders on
the file servers.
You need to ensure that the Contoso users can access the shared folders on the file
servers.
What should you do?
A. Disable selective authentication on the existing forest trust.

B. Disable SID filtering on the existing forest trust.
C. Run netdom and specify the /quarantine attribute.
D. Replace the existing forest trust with an external trust.
Answer: B
Explanation:
Although it is not recommended, you can use this procedure to disable security identifier
(SID) filter quarantining for an external trust with the Netdom.exe tool. You should consider
disabling SID filter quarantining only in the following situations:
* Users have been migrated to the trusted domain with their SID histories preserved, and
you want to grant those users access to resources in the trusting domain (the former
domain of the migrated users) based on the sIDHistory attribute.
Etc.
Reference: Disabling SID filter quarantining

controllers run Windows Server 2012 R2.
The network has the physical sites and TCP/IP subnets configured as shown in the
following table.
You have a web application named App1 that is hosted on six separate Web servers. DNS
has the host names and IP addresses registered as shown in the following table.
You discover that when users connect to appl.contoso.com, they are connected frequently
to a server that is not on their local subnet.
You need to ensure that when the users connect to appl.contoso.com, they connect to a
server on their local subnet. The connections must be distributed across the servers that
host appl.contoso.com on their subnet.
Which two settings should you configure?

To answer, select the appropriate two settings in the answer area.
Answer:

Explanation:

DNS Round Robin is a mechanism for choosing an IP address from the list returned by a
DNS server so that all clients won't get the same IP address every time. Netmask ordering
is a mechanism for further optimizing which IP address is used by attempting to determine
the closest result.
contains servers named Server1 and Server2 that run Windows Server 2012 R2. Server1

has the Active Directory Federation Services server role installed. Server2 is a file server.
Your company introduces a Bring Your Own Device (BYOD) policy.
You need to ensure that users can use a personal device to access domain resources by
using Single Sign-On (SSO) while they are connected to the internal network.
Choose two.)
A. Enable the Device Registration Service in Active Directory.

B. Publish the Device Registration Service by using a Web Application Proxy.
C. Configure Active Directory Federation Services (AD FS) for the Device Registration
Service.
D. Create and configure a sync share on Server2.
E. Install the Work Folders role service on Server2.
Answer: A,C
Explanation:
* Workplace Join leverages a feature included in the Active Directory Federation Services
(AD FS) Role in Windows Server 2012 R2, called Device Registration Service (DRS).
DRS provisions a device object in Active Directory when a device is Workplace Joined.
Once the device object is in Active Directory, attributes of that object can be retrieved and
used to provide conditional access to resources and applications. The device identity is
represented by a certificate which is set on the personal device by DRS when the device is
Workplace Joined.
* In Windows Server 2012 R2, AD FS and Active Directory Domain Services have been
extended to comprehend the most popular mobile devices and provide conditional access
to enterprise resources based on user+device combinations and access policies. With
these policies in place, you can control access based on users, devices, locations, and
access times.
Reference: BYOD Basics: Enabling the use of Consumer Devices using Active Directory in
Windows Server 2012 R2

You have a server that runs Windows Server 2012 R2 and has the iSCSI Target Server
role service installed.
You run the New-IscsiVirtualDisk cmdlet as shown in the New-IscsiVirtualDisk exhibit.

To answer, complete each statement according to the information presented in the exhibits.
Each correct selection is worth one point.
Answer:

Explanation:
* From the exhibit we see that the size is 10737418240 bytes. This is roughly 10 GB.
* From the exhibit we also see 'Status: Not connected'.
Note: Target: It is an object which allows the iSCSI initiator to make a connection. The
Target keeps track of the initiators which are allowed to be connected to it. The Target also
keeps track of the iSCSI virtual disks which are associated with it. Once the initiator
establishes the connection to the Target, all the iSCSI virtual disks associated with the
Target will be accessible by the initiator.

You are creating a central access rule named TestFinance that will be used to grant
members of the Authenticated users group access to a folder stored on a Microsoft
SharePoint Server 2013 server.
You need to ensure that the permissions are granted when the rule is published.
What should you do?
A. Set the Permissions to Use the following permissions as proposed permissions.

B. Set the Permissions to Use following permissions as current permissions.
C. Add a Resource condition to the current permissions entry for the Authenticated Users
principal.
D. Add a User condition to the current permissions entry for the Authenticated Users
principal.
Answer: B
Explanation:
To create a central access rule (see step 5 below):

✑ In the left pane of the Active Directory Administrative Center, click Tree View,
select Dynamic Access Control, and then click Central Access Rules.
✑ Right-click Central Access Rules, click New, and then click Central Access Rule.
✑ In the Name field, type Finance Documents Rule.
✑ In the Target Resources section, click Edit, and in the Central Access Rule dialog
box, click Add a condition. Add the following condition:
✑ [Resource] [Department] [Equals] [Value] [Finance], and then click OK.
✑ In the Permissions section, select Use following permissions as current
permissions, click Edit, and in the Advanced Security Settings for Permissions
dialog box click Add.
Note (not A): Use the following permissions as proposed permissions option lets you create
the policy in staging.
6. In the Permission entry for Permissions dialog box, click Select a principal, type
Authenticated Users, and then click OK.
Etc.
Incorrect:
Not A. Proposed permissions enable an administrator to more accurately model the impact
of potential changes to access control settings without actually changing them.

Reference: Deploy a Central Access Policy (Demonstration Steps)
https://technet.microsoft.com/en-us/library/hh846167.aspx
Server1 is a file server that has the Hyper-V server role installed.
Server1 hosts several virtual machines. The virtual machine configuration files are stored
on drive D and the VHD files are stored on drive E.
You plan to replace drive E with a larger volume.
You need to ensure that the virtual machines on Server1 remain available while drive E is
being replaced.
What should you do?
A. Perform a quick migration.

B. Add Server1 and Server2 as nodes in a failover cluster.
C. Perform a live migration.
D. Perform a storage migration.
Answer: D
Explanation:
Hyper-V in Windows Server 2012 R2 introduces support for moving virtual machine storage
without downtime by making it possible to move the storage while the virtual machine
remains running.
Reference: Virtual Machine Storage Migration Overview

You deploy a new server named Server3 that runs Windows Server 2012 R2. The
contoso.com DNS zone contains the records shown in the following table.
You need to add Server3 to the NLB cluster.
What command should you run?

Answer:
Explanation:
* The Add-NlbClusterNode cmdlet adds a new node to the NLB cluster. Once the new node
settings are circulated through all of the NLB cluster node, the new cluster node will be in a
running state in the cluster.

* The Get-NlbClusterNode cmdlet retrieves information about a node in the NLB cluster.
* EXAMPLE: This command adds host node2 to the cluster on node1.

C:\PS>
Get-NlbCluster node1 | Add-NlbClusterNode -NewNodeName node2 -NewNodeInterface

vlan-3
Name State Interface HostID
---- ----- --------- ------
node2 Converged vlan-3 2
All domain controllers run Windows Server 2012 R2.
A federated trust exists between adatum.com and contoso.com. The trust provides
adatum.com users with access to contoso.com resources.
You need to configure Active Directory Federation Services (AD FS) claim rules for the
federated trust.
✑ In contoso.com, replace an incoming claim type named Group with an outgoing

claim type named Role.
✑ In adatum.com, allow users to receive their tokens for the relying party by using
their Active Directory group membership as the claim type.
The AD FS claim rules must use predefined templates.
Which rule types should you configure on each side of the federated trust?
To answer, drag the appropriate rule types to the correct location or locations. Each rule

type may be used once, more than once, or not at all. You may need to drag the split bar
between panes or scroll to view content.
Answer:
Explanation:
* Acceptance transform rule set

A set of claim rules that you use on a particular claims provider trust to specify the
incoming claims that will be accepted from the claims provider organization and the
outgoing claims that will be sent to the relying party trust.
Used on: Claims provider trusts
* Issuance Authorization Rule Set

A set of claim rules that you use on a relying party trust to specify the claims that will be
issued to the relying party.
Used on: Relying party trusts

a single domain. The forest functional level is Windows Server 2012 R2.
You have a domain controller named DC1.
On DC1, you create a new Group Policy object (GPO) named GPO1. You need to verify
that GPO1 was replicated to all of the domain controllers.
A. Group Policy Management

B. Active Directory Sites and Services
C. DFS Management
D. Active Directory Administrative Center
Answer: A
Explanation:
In Windows Server 2012, the Group Policy Management Console (GPMC) was enhanced
to provide a report for the overall health state of the Group Policy infrastructure for a
domain, or to scope the health view to a single GPO.
Reference: Check Group Policy Infrastructure Status
a single domain. The forest contains three Active Directory sites named SiteA, SiteB, and
SiteC. The sites contain four domain controllers. The domain controllers are configured as
shown in the following table.

An IP site link exits between each site.
You discover that the users in SiteC are authenticated by the domain controllers in SiteA
and SiteB.
You need to ensure that the SiteC users are authenticated by the domain controllers in
SiteB, unless all of the domain controllers in SiteB are unavailable.
What should you do?
A. Create an SMTP site link between SiteB and SiteC.

B. Create additional connection objects for DC3 and DC4.
C. Decrease the cost of the site link between SiteB and SiteC.
D. Create additional connection objects for DC1 and DC2.
Answer: C
Explanation:
By decreasing the site link cost between SiteB and SiteC the SiteC users would be
authenticated by SiteB rather than by SiteA.
Your network contains an Active Directory forest named contoso.com. The contoso.com
domain only contains domain controllers that run Windows Server 2012 R2.
The forest contains a child domain named child.contoso.com. The child.contoso.com

domain only contains domain controllers that run Windows Server 2008 R2. The
child.contoso.com domain contains a member server named Server1 that runs Windows
Server 2012 R2.

You have access to four administrative user accounts in the forest. The administrative user
accounts are configured as shown in the following table.
You need to ensure that you can add a domain controller that runs Windows Server 2012
R2 to the child.contoso.com domain.
Which account should you use to run adprep.exe?
A. Admin1
B. Admin2
C. Admin3
D. Admin4
Answer: C
Explanation:
Adprep.exe performs operations that must be completed on the domain controllers that run
in an existing Active Directory environment before you can add a domain controller that
runs that version of Windows Server.
Preparing to run adprep /domainprep (see step 2 below).

To help ensure that the adprep /domainprep command runs successfully, complete these
steps before you run the command on the infrastructure operations master role holder in
each domain:
✑ Make sure that the schema updates that adprep /forestprep performs replicated
throughout the forest or that they at least replicated to the infrastructure master for
the domain where you plan to run adprep /domainprep.
✑ Make sure that you can log on to the infrastructure master with an account that is a
member of the Domain Admins group.
✑ Verify that the domain functional level is appropriate.
Reference: Running Adprep.exe
http://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx

2012 R2.
You configure File Services and DHCP as clustered resources for Cluster1. Server1 is the
active node for both clustered resources.
You need to ensure that if two consecutive heartbeat messages are missed between
Server1 and Server2, Server2 will begin responding to DHCP requests. The solution must
ensure that Server1 remains the active node for the File Services clustered resource for up
to five missed heartbeat messages.
A. Affinity-None
B. Affinity-Single
H. Live migration
K. Quick migration
Answer: D
Explanation:
The number of heartbeats that can be missed before failover occurs is known as the
heartbeat threshold. Heartbeat threshold is failover clustering setting.
Reference: Tuning Failover Cluster Network Thresholds

http://technet.microsoft.com/en-us/library/dn265972.aspx
2012 R2. Server1 and Server2 have the Hyper-V server role installed. Server1 and Server2
are configured as Hyper-V replicas of each other.
Server2 hosts a virtual machine named VM5. VM5 is replicated to Server1.
You need to verify whether the replica of VM5 on Server1 is functional. The solution must
ensure that VM5 remains accessible to clients.
What should you do from Hyper-V Manager?
A. On Server1, execute a Planned Failover.

B. On Server1, execute a Test Failover.
C. On Server2, execute a Planned Failover.
D. On Server2, execute a Test Failover.
Answer: B
Explanation:
Test Failover (TFO) is an operation initiated on your replica virtual machine (in this scenario
on Server1) which allows you to test the sanity of the virtualized workload without
interrupting your production workload or ongoing replication.
TFO is performed on the replica virtual machine by right-clicking on the VM and choosing
the Test Failover operation (either from the Hyper-V Manager or from the Failover
Clustering Manager).
Reference: Types of failover operations in Hyper-V Replica – Part I – Test Failover.

Your network contains a server named Server1 that runs Windows Server 2012 R2.
Server1 has the Active Directory Certificate Services server role installed and is configured
as a standalone certification authority (CA).
You install a second server named Server2. You install the Online Responder role service
on Server2.
You need to ensure that Server1 can issue an Online Certificate Status Protocol (OCSP)
Response Signing certificate to Server2.
What should you run on Server1?
A. The certreq.exe command and specify the -policy parameter

B. The certutil.exe command and specify the -getkey parameter
C. The certutil.exe command and specify the -setreg parameter
D. The certreq.exe command and specify the -retrieve parameter
Answer: C
Explanation:
To prepare a computer running Windows Server to issue OCSP Response Signing
certificates
✑ On the server hosting the CA, open a command prompt, and type:
✑ certutil -v -setreg policy\EnableRequestExtensionList +1.3.6.1.5.5.7.48.1.5
✑ Stop and restart the CA. You can do this at a command prompt by running the
following commands:
✑ net stop certsvc
net start certsvc
Reference: Configure a CA to Support OCSP Responders

2012 R2.
configured as nodes in a failover cluster named Cluster1. Cluster1 contains a Clustered
Shared Volume (CSV).
A developer creates an application named App1. App1 is NOT a cluster-aware application.

App1 stores data in the file system.
You need to ensure that App1 runs in Cluster1. The solution must minimize development
effort.
A. Add-ClusterServerRole
B. Add-ClusterGenericServiceRole
C. Add ClusterScaleOutFileServerRole
D. Add ClusterGenericApplicationRole
Answer: D
Explanation:
Add-ClusterGenericApplicationRole
Configure high availability for an application that was not originally designed to run in a
failover cluster.
If you run an application as a Generic Application, the cluster software will start the
application, then periodically query the operating system to see whether the application
appears to be running. If so, it is presumed to be online, and will not be restarted or failed
over.
EXAMPLE 1.
Command Prompt: C:\PS>
Add-ClusterGenericApplicationRole -CommandLine NewApplication.exe
Name OwnerNode State

---- --------- -----
cluster1GenApp node2 Online
Description

-----------
This command configures NewApplication.exe as a generic clustered application. A default
name will be used for client access and this application requires no storage.
Reference: Add-ClusterGenericApplicationRole
A. Active Directory Administrative Center

B. Certificate Templates
C. The Security Configuration Wizard
D. The Certificates snap-in
Answer: A
Explanation:
To disable or enable a user account using Active Directory Administrative Center

1. To open Active Directory Administrative Center, click Start , click Administrative Tools ,
and then click Active Directory Administrative Center .

To open Active Directory Users and Computers in Windows Server 2012, click Start , type
dsac.exe .
2. In the navigation pane, select the node that contains the user account whose status you
want to change.
3. In the management list, right-click the user whose status you want to change.
4. Depending on the status of the user account, do one of the following:
✑ uk.co.certification.simulator.questionpool.PList@d421940
Reference: Disable or Enable a User Account
Topic 3, Volume C
Your network contains three application servers that run Windows Server 2012 R2. The
application servers have the Network Load Balancing (NLB) feature installed.
You create an NLB cluster that contains the three servers.
You plan to deploy an application named App1 to the nodes in the cluster. App1 uses TCP
port 8080 and TCP port 8081.
Clients will connect to App1 by using HTTP and HTTPS. When clients connect to App1 by
using HTTPS, session state information will be retained locally by the cluster node that
responds to the client request.
You need to configure a port rule for Appl.
Which port rule should you use?
To answer, select the appropriate rule in the answer area.

Answer:

Explanation:

C:\Users\Kamran\Desktop\image - Copy.jpg
* Filtering Mode: Multiple hosts

The Multiple hosts parameter specifies that multiple hosts in the cluster will handle network
traffic for the associated port rule. This filtering mode provides scaled performance and
fault tolerance by distributing the network load among multiple hosts. You can specify that
the load be equally distributed among the hosts or that each host will handle a specified
load weight.
* Affinity
Select Affinity Single or Network to ensure that all network traffic from a particular client is
directed to the same host.

You have a failover cluster named Cluster1 that contains four nodes. All of the nodes run
You need to schedule the installation of Windows updates on the cluster nodes.
A. the Add-CauClusterRole cmdlet

B. the Wusa command
C. the Wuauclt command
D. the Invoke-CauScan cmdlet
Answer: A
Explanation:
To enable self-updating mode, the CAU clustered role must also be added to the failover
cluster. To do this by using the CAU UI, under Cluster Actions, use the Configure Self-
Updating Options action. Alternatively, run the Add-CauClusterRole Windows PowerShell
cmdlet.
Note: The process for installing service packs and hotfixes on Windows Server 2012 differs
from the process in earlier versions. In Windows Server 2012, you can use the Cluster-
Aware Updating (CAU) feature. CAU automates the software-updating process on
clustered servers while maintaining availability.
Reference: Cluster-Aware Updating Overview

The domain contains two domain controllers. The domain controllers are configured as
On DC1, you create an Active Directory-integrated zone named Zone1. You verify that
Zone1 replicates to DC2.
You use DNSSEC to sign Zone1.
You discover that the updates to Zone1 fail to replicate to DC2.
You need to ensure that Zone1 replicates to DC2.
What should you configure on DC1?
To answer, select the appropriate tab in the answer area.

Answer:

Explanation:

We most allow and configure zone transfers.
To modify zone transfer settings using the Windows interface

✑ Right-click a DNS zone, and then click Properties.
✑ On the Zone Transfers tab, do one of the following:
✑ If you allowed zone transfers, do one of the following:

You have a file server named Server1 that runs a Server Core Installation of Windows
Server 2012 R2.
Server1 has a volume named D that contains user data. Server1 has a volume named E
that is empty.
Server1 is configured to create a shadow copy of volume D every hour. You need to
configure the shadow copies of volume D to be stored on volume E.
A. The Set-Volume cmdlet with the -driveletter parameter

B. The Set-Volume cmdlet with the -path parameter
C. The vssadmin.exe add shadowstorage command
D. The vssadmin.exe create shadow command
Answer: C
Explanation:
Add ShadowStorage
Adds a shadow copy storage association for a specified volume.
Incorrect:
Not A. Sets or changes the file system label of an existing volume. -DriveLetter Specifies a
letter used to identify a drive or volume in the system.
Not B. Create Shadow
Creates a new shadow copy of a specified volume.
Not C. Sets or changes the file system label of an existing volume -Path Contains valid
path information.
Reference: Vssadmin; Set-Volume

contains two servers named Server1 and Server2. Both servers have the IP Address
Management (IPAM) Server feature installed.
You have a support technician named Tech1. Tech1 is a member of the IPAM
Administrators group on Server1 and Server2. You need to ensure that Tech1 can use
Server Manager on Server1 to manage IPAM on Server2. To which group on Server2
should you add Tech1? To answer, select the appropriate group in the answer area.
Answer:

Explanation:

If you are accessing the IPAM server remotely using Server Manager IPAM client RSAT,
then you must be a member of the WinRMRemoteWMIUsers group on the IPAM server, in
addition to being a member of the appropriate IPAM security group (or local Administrators
group).
Your network contains one Active Directory domain named contoso.com. The forest

functional level is Windows Server 2012. All servers run Windows Server 2012 R2. All
client computers run Windows 8.1.
The domain contains 10 domain controllers and a read-only domain controller (RODC)
named RODC01. All domain controllers and RODCs are hosted on Hyper-V host that runs
You need to identify which domain controller must be online when cloning a domain
controller.
Which cmdlet should you use?
A. Get-ADGroupMember
B. Get-ADDomainControllerPasswordReplicationPolicy
C. Get-ADDomainControllerPasswordReplicationPolicyUsage
D. Get-ADDomain
E. Get-ADOptionalFeature
Answer: D
Explanation:
A prerequisite to clone a domain controller is that an existing Windows Server 2012 DC

that hosts the PDC emulator role is online.
The output of the Get-ADDomain command includes a line indicating which domain
controller acts as a PDC emulator.
For example: PDCEmulator : Fabrikam-DC1.Fabrikam.com
Reference: Step-by-Step: Domain Controller Cloning
http://blogs.technet.com/b/canitpro/archive/2013/06/12/step-by-step-domain-controller-
cloning.aspx
Reference: Get-ADDomain
https://technet.microsoft.com/en-us/library/ee617224.aspx

DHCP Server server role installed.
You discover that client computers cannot obtain IPv4 addresses from DC2.
You need to ensure that the client computers can obtain IPv4 addresses from DC2.
What should you do?
A. Disable the Deny filters.

B. Enable the Allow filters.
C. Authorize DC2.
D. Restart the DHCP Server service
Answer: C
Explanation:
From the exhibit we see a red marker on the IPv4 server icon. The DHCP server is not
authorized.
Authorize DHCP Server

The final step is to authorize the server.
Right-click your FQDN and select Authorize.
Refresh the view by right-clicking your FQDN and selecting Refresh.
You should now see green check mark next to IPv4.
Example:
Reference: Server 2012 DHCP Server Role
A previous administrator implemented a Proof of Concept installation of Active Directory

Rights Management Services (AD RMS) on a server named Server1.
After the proof of concept was complete, the Active Directory Rights Management Services

server role was removed.
You attempt to deploy AD RMS.
During the configuration of AD RMS, you receive an error message indicating that an
existing AD RMS Service Connection Point (SCP) was found.
You need to ensure that clients will only attempt to establish connections to the new AD
RMS deployment.
Which should you do?
A. From DNS, remove the records for Server1.

B. From DNS, increase the priority of the DNS records for the new deployment of AD RMS.
C. From Active Directory, remove the computer object for Server1.
D. From Active Directory, remove the SCP.
Answer: D
Explanation:
The Active Directory Rights Management Services (AD RMS) Service Connection Point
(SCP) is an object in Active Directory that holds the web address of the AD RMS
certification cluster. AD RMS-enabled applications use the SCP to discover the AD RMS
service; it is the first connection point for users to discover the AD RMS web services.
Only one SCP can exist in your Active Directory forest. If you try to install AD RMS and an
SCP already exists in your forest from a previous AD RMS installation that was not properly
deprovisioned, the new SCP will not install properly. It must be removed before you can
establish the new SCP.
Reference: The AD RMS Service Connection Point
http://social.technet.microsoft.com/wiki/contents/articles/710.the-ad-rms-service-
connection-point.aspx

Active Directory Federation Services (AD FS) server role installed.
Adatum.com is a partner organization.
You are helping the administrator of adatum.com set up a federated trust between
adatum.com and contoso.com. The administrator of adatum.com asks you to provide a file
containing the federation metadata of contoso.com.
You need to identify the location of the federation metadata file. Which node in the AD FS
console should you select?
Answer:

Explanation:
See figure below.

You have two Windows Server Update Services (WSUS) servers named Server01 and
Server02. Server01 synchronizes from Microsoft Update. Server02 synchronizes updates
from Server01. Both servers are members of the same Active Directory domain.
You configure Server01 to require SSL for all WSUS metadata by using a certificate issued
by an enterprise root certification authority (CA).
You need to ensure that Server02 synchronizes updates from Server01.
A. From a command prompt, run wsusutil.exe configuresslproxy server02 443.

B. From a command prompt, run wsusutil.exe configuressl server01.
C. From a command prompt, run wsusutil.exe configuresslproxy server01 443.
D. From the Update Services console, modify the Update Source and Proxy Server
options.
Answer: C
Explanation:
We configure server02 to use server01 as an proxy for the updates through the
wsusutil.exe configuresslproxy <ssl_proxy_ip_or_name> <port>
Server01 is the ssl_proxy and the port is 443 (the sll port).
Reference: A work-around when using different proxies for HTTP and SSL in WSUS 3.0
SP1
http://blogs.technet.com/b/craigf/archive/2009/05/04/a-work-around-when-using-different-
proxies-for-http-and-ssl-in-wsus-3-0-sp1.aspx
contains a file server named Server1. The File Server Resource Manager role service is
installed on Server1. All servers run Windows Server 2012 R2.
A Group Policy object (GPO) named GPO1 is linked to the organizational unit (OU) that
contains Server1. The following graphic shows the configured settings in GPO1.

Server1 contains a folder named Folder1. Folder1 is shared as Share1.
You attempt to configure access-denied assistance on Server1, but the Enable access-
denied assistance option cannot be selected from File Server Resource Manager.
You need to ensure that you can configure access-denied assistance on Server1 manually
by using File Server Resource Manager.
Which two actions should you perform?
A. Set the Enable access-denied assistance on client for all file types policy setting to
Disabled for GPO1.
B. Set the Customize message for Access Denied errors policy setting to Not Configured
for GPO1.
C. Set the Enable access-denied assistance on client for all file types policy setting to
Enabled for GPO1.
D. Set the Customize message for Access Denied errors policy setting to Enabled for
GPO1.
Answer: C,D
Explanation:
C. To configure access-denied assistance for all file types by using Group Policy
✑ Open Group Policy Management. In Server Manager, click Tools, and then click
Group Policy Management.
✑ Right-click the appropriate Group Policy, and then click Edit.
✑ Click Computer Configuration, click Policies, click Administrative Templates, click
System, and then click Access-Denied Assistance.
✑ Right-click Enable access-denied assistance on client for all file types, and then
click Edit.
✑ Click Enabled, and then click OK.

D. To configure access-denied assistance by using Group Policy (see step 5)
✑ Open Group Policy Management. In Server Manager, click Tools, and then click
Group Policy Management.
✑ Right-click the appropriate Group Policy, and then click Edit.
✑ Click Computer Configuration, click Policies, click Administrative Templates, click
System, and then click Access-Denied Assistance.
✑ Right-click Customize message for Access Denied errors, and then click Edit.
✑ Select the Enabled option.
Etc
Reference: Deploy Access-Denied Assistance (Demonstration Steps)
Your network contains an Active Directory domain named contoso.com. The relevant
servers in the domain are configured as shown in the following table.
You plan to create a shared folder on Server1 named Share1. Share1 must only be
accessed by users who are using computers that are joined to the domain.
You need to identify which servers must be upgraded to support the requirements of
Share1.
In the table below, identify which computers require an upgrade and which computers do
not require an upgrade. Make only one selection in each row. Each correct selection is
worth one point.

Answer:
Explanation:

There is new file server functionality in Windows Server 2012. The file server should be
upgraded to Windows Server 2012.
Your network contains one Active Directory domain named contoso.com. The domain
contains an IP Address Management (IPAM)
Server named Server1. Server1 manages several DHCP and DNS servers.
From server Manager on Server1, you create a custom role for IPAM.
You need to assign the role to a group named IP_Admins.
What should you do?
A. From Windows PowerShell, run the Add-Member cmdlet.

B. From Server Manager, create an access policy.
C. From Windows PowerShell, run the Set-IpamConfiguration cmdlet.
D. From Server Manager, create an access scope.
Answer: B
Explanation:
A role is a collection of IPAM operations. You can associate a role with a user or group in
Windows using an access policy. Several built-in roles are provided, but you can also
create customized roles to meet your business requirements.
Reference: Manage IPAM, Access Control
https://technet.microsoft.com/en-us/library/dn741281.aspx

You have five servers that run Windows Server 2012 R2. The servers have the Failover
Clustering feature installed. You deploy a new cluster named Cluster1. Cluster1 is
Server1, Server2, and Server3 are configured as the preferred owners of the cluster roles.
Dynamic quorum management is disabled.
You plan to perform hardware maintenance on Server3.
You need to ensure that if the WAN link between Site1 and Site2 fails while you are
performing maintenance on Server3, the cluster resource will remain available in Site1.
What should you do?
A. Add a file share witness in Site1.

B. Enable DrainOnShutdown on Cluster1.
C. Remove the node vote for Server4 and Server5.
D. Remove the node vote for Server3.
Answer: C
Explanation:
Recommended Adjustments to Quorum Voting
When enabling or disabling a given WSFC (Windows Server Failover Clustering) node’s
vote, follow these guidelines:
* Exclude secondary site (here site2) nodes (here server4 and server5). In general, do not
give votes to WSFC nodes that reside at a secondary disaster recovery site. You do not
want nodes in the secondary site to contribute to a decision to take the cluster offline when
there is nothing wrong with the primary site.
Reference: WSFC Quorum Modes and Voting Configuration (SQL Server)

Windows Server 2012 R2 is installed on volume C.
You need to ensure that Safe Mode with Networking loads the next time Server1 restarts.
A. The Msconfig command

B. The Bootcfg command
C. The Restart-Computer cmdlet
D. The Restart-Server cmdlet
Answer: A
Explanation:
Use system config (Msconfig) to configure boot options.

Reference: System Configuration – aka MSCONFIG.
named RODC01. All domain controllers and RODCs are hosted on a Hyper-V host that
runs Windows Server 2012 R2.
You need to identify whether deleted objects can be recovered from the Active Directory
Recycle Bin.
D. Get-ADDomain
Answer: E
Explanation:
The Get-ADOptionalFeature cmdlet gets an optional feature or performs a search to

retrieve multiple optional features from an Active Directory.
Example: Get a specified optional feature
This command gets the optional feature with the name Recycle Bin Feature.
Windows PowerShell
PS C:\> Get-ADOptionalFeature -Identity 'Recycle Bin Feature'
Reference: Get-ADOptionalFeature
https://technet.microsoft.com/en-us/library/hh852212(v=wps.630).aspx

You need to identify which security principals are authorized to have their password cached
on RODC01.
D. Get-ADDomain
Answer: B
Explanation:
The Get-ADDomainControllerPasswordReplicationPolicy gets the users, computers,

service accounts and groups that are members of the applied list or denied list for a read-
only domain controller's (RODC) password replication policy. To get the members of the
applied list, specify the AppliedList parameter. To get the members of the denied list,
specify the DeniedList parameter.
Example: Get from an RODC domain controller password replication policy the allowed
accounts showing the name and object class of each:
Get-ADDomainControllerPasswordReplicationPolicy -Identity "FABRIKAM-RODC1" -
Allowed | ft Name,ObjectClass
Reference: Get-ADDomainControllerPasswordReplicationPolicy

All of the domain controllers in both of the forests run Windows Server 2012 R2. The
adatum.com domain contains a file server named Servers.
Adatum.com has a one-way forest trust to contoso.com.
A contoso.com user name User10 attempts to access a shared folder on Servers and
receives the error message shown in the exhibit. (Click the Exhibit button.)
You verify that the Authenticated Users group has Read permissions to the Data folder.
You need to ensure that User10 can read the contents of the Data folder on Server5 in the
adatum.com domain.
What should you do?
A. Grant the Other Organization group Read permissions to the Data folder.
B. Modify the list of logon workstations of the contoso\User10 user account.
C. Enable the Netlogon Service (NP-In) firewall rule on Server5.
D. Modify the permissions on the Server5 computer object in Active Directory.
Answer: D
Explanation:
* To resolve the issue, I had to open up AD Users and Computers --> enable Advanced
Features --> Select the Computer Object --> Properties --> Security --> Add the Group I
want to allow access to the computer (in this case, DomainA\Domain users) and allow
"Allowed to Authenticate". Once I did that, everything worked:
* For users in a trusted Windows Server 2008 or Windows Server 2003 domain or forest to

be able to access resources in a trusting Windows Server 2008 or Windows Server 2003
domain or forest where the trust authentication setting has been set to selective
authentication, each user must be explicitly granted the Allowed to Authenticate permission
on the security descriptor of the computer objects (resource computers) that reside in the
trusting domain or forest.
Reference: Grant the Allowed to Authenticate Permission on Computers in the Trusting

Domain or Forest.
contains three users named User1, User2, and User3.
You need to ensure that the users can log on to the domain by using the user principal
names (UPNs) shown in the following table.
What should you use?
A. the Set-ADDomain cmdlet

B. the Add-DNSServerSecondaryZone cmdlet
C. the Setspn command
D. the Set-ADUser cmdlet
Answer: D
Explanation:
The Set-ADUser cmdlet modifies the properties of an Active Directory user. You can modify
commonly used property values by using the cmdlet parameters.
Parameters include: UserPrincipalName

Each user account has a user principal name (UPN) in the format <user>@<DNS-domain-
name>. A UPN is a friendly name assigned by an administrator that is shorter than the
LDAP distinguished name used by the system and easier to remember. The UPN is
independent of the user object's DN, so a user object can be moved or renamed without
affecting the user logon name. When logging on using a UPN, users no longer have to
choose a domain from a list on the logon dialog box.
Reference: Technet, Set-ADUser
contains a server named Server1 that runs Windows Server 2012.
Server1 is the enterprise root certification authority (CA) for contoso.com.
You need to enable CA role separation on Server1.
A. The Certutil command

B. The Authorization Manager console
C. The Certsrv command
Answer: A
Explanation:
To enable role separation

✑ Open Command Prompt.
✑ Type:
certutil -setreg ca\RoleSeparationEnabled 1
Etc.
Reference: Enable role separation

Your network contains one Active Directory domain. The domain contains two Hyper-V
hosts named Host1 and Host2 that run Windows Server 2012 R2. Host1 contains a virtual
machine named DC5. DC5 is a domain controller that runs Windows Server 2012 R2.
You configure Active Directory to support domain controller cloning for DC5, and then you
shut down DC5.
You need to create a clone of DC5 on Host2.
What should you run on each Hyper-V host? To answer, drag the appropriate commands
or cmdlets to the correct Hyper-v hosts. Each command or cmdlet may be used once, more
than once, or not at all. You may need to drag the split bar between panes or scroll to view
content.
Answer:
Explanation:
Host1: Export-VM
Host2: Import-VM
Use import and export feature, when you want to create a new virtual machine with the

same configuration of an existing machine in Hyper-V.
The Export-VM cmdlet exports a virtual machine to disk.
The Import-VM cmdlet imports a virtual machine from a file.
Your network contains an Active Directory forest.
You implement Dynamic Access Control in the forest.
You have the claim types shown in the Claim Types exhibit. (Click the Exhibit button.)
The properties of a user named User1 are configured as shown in the User1 exhibit. (Click
the Exhibit button.)

The output of Whoami /claims for a user named User2 is shown in the Whoami exhibit.

Select Yes if the statement can be shown to be true based on the available information;
otherwise select No. Each correct selection is worth one point.
Answer:

A Microsoft Azure Backup of Server1 is created automatically every day.
You need to view the items that are included in the backup.
A. Get-OBPolicyState
B. Get-OBJob
C. Get-OBPolicy
D. Get-WBSummary
Answer: C
Explanation:
The Get-OBPolicy cmdlet gets the current backup policy that is set for the server, including
the details about scheduling backups, files included in the backup, and retention policy.
Reference: Technet, Get-OBPolicy
Your network contains two application servers that run Windows Server 2012 R2. The
application servers have the Network Load Balancing (NLB) feature installed.
You create an NLB cluster that contains the two servers.
You plan to deploy an application named App1 to the nodes in the cluster. App1 uses TCP
port 8080 and TCP port 8081.

Clients will connect to App1 by using HTTP and HTTPS via a single reverse proxy. App1
does not use session state information.
You need to configure a port rule for Appl. The solution must ensure that connections to
App1 are distributed evenly between the nodes.
Which port rule should you use?
To answer, select the appropriate rule in the answer area.
Answer:

Explanation:

*Only the TCP Protocol is needed

* Only a Single host is required.
Your network contains one Active Directory forest. The forest has three sites configured as

The forest contains the site links configured as shown in the following table.
A domain controller named DC2 has an IP address of 192.168.2.2. DC2 and is in Site2.
You run the following cmdlets.
New-ADReplicationSite Site3
New-ADReplacationSubnet –Name “192.168.3.0/24” –Site Site3
Use the drop-down menus to select the answer choice that completes each statement.
Answer:

Explanation:
* By default all sites are replicating trough the DEFAULTIPSITELINK using the default
schedule, at every 180 minutes.
* You need to move DC2 logically as well.
Your network contains one Active Directory forest named contoso.com. The forest contains
two child domains and six domain controllers. The domain controllers are configured as

You have a trust from contoso.com to another forest named fabrikam.com.
You plan to migrate users from contoso.com to fabrikam.com.
You need to ensure that the users who migrated to fabrikam.com can continue to access
shared resources in contoso.com. The solution must not require administrators to modify
permissions to shared resources.
A. Set-ADSite
B. Set-ADReplicationSite
C. Set-ADDomain
D. Set-ADReplicationSiteLink
E. Set-ADGroup
F. Set-ADForest
G. Netdom
Answer: G
Explanation:
The Netdom move command moves a workstation or member server to a new domain. The
act of moving a computer to a new domain creates an account for the computer on the
domain, if it does not already exist.
Reference: Technet, Netdom move

Your company has two offices. The offices are located in Seattle and Montreal.
contains two DHCP servers named Server1 and Server2. Server1 is located in the Seattle
office. Server2 is located in the Montreal office. All servers run Windows Server 2012 R2.
You need to create a DHCP scope for video conferencing in the Montreal office. The scope
must be configured as shown in the following table.
Which Windows PowerShell cmdlet should you run?
A. Add-DhcpServerv4SuperScope
B. Add-DhcpServerv4MulticastScope
C. Add-DHCPServerv4Policy
D. Add-DchpServerv4Scope
Answer: B
Explanation:
The Add-DhcpServerv4MulticastScope cmdlet adds a multicast scope on the Dynamic
Host Configuration Protocol (DHCP) server.
Note: IPv4 multicast addresses are defined by the leading address bits of 1110, originating
from the classful network design of the early Internet when this group of addresses was
designated as Class D. The Classless Inter-Domain Routing (CIDR) prefix of this group is
224.0.0.0/4. The group includes the addresses from 224.0.0.0 to 239.255.255.255.
Reference: Add-DhcpServerv4MulticastScope

contains a file server named FS1 that runs Windows Server 2012 R2 and has the File
Server Resource Manager role service installed. All client computers run Windows 8.
File classification and Access-Denied Assistance are enabled on FS1.
You need to ensure that if users receive an Access Denied message, they can request
assistance by email from the Access Denied dialog box.
A. A file management task

B. A classification property
C. The File Server Resource Manager Options
D. A report task
Answer: C
Explanation:
You can configure access-denied assistance individually on each file server by using the
File Server Resource Manager console.
Note:
To configure access-denied assistance by using File Server Resource Manager
✑ Open File Server Resource Manager. In Server Manager, click Tools, and then
click File Server Resource Manager.
✑ Right-click File Server Resource Manager (Local), and then click Configure
Options.
✑ Click the Access-Denied Assistance tab.
✑ Select the Enable access-denied assistance check box.
✑ In the Display the following message to users who are denied access to a folder or
file box, type a message that users will see when they are denied access to a file
or folder.
You can add macros to the message that will insert customized text.
✑ Click Configure email requests, select the Enable users to request assistance
check box, and then click OK.
✑ Click Preview if you want to see how the error message will look to the user.
✑ Click OK.
Reference: Deploy Access-Denied Assistance (Demonstration Steps)

Your network contains two DHCP servers named Server1 and Server2. Server1 fails.
You discover that DHCP clients can no longer receive IP address leases.
You need to ensure that the DHCP clients receive IP addresses immediately.
What should you configure from the View/Edit Failover Relationship settings? To answer,
select the appropriate setting in the answer area.
Answer:

Explanation:

A manual failover will have to occur by clicking on the Change to partner down button (the
partner has to actually be unavailable to click this button).
Note: You can manually change the state of a server which is running in communication
interrupted to partner down using DHCP MMC or DHCP PowerShell.
In MMC, go to IPv4->Properties, go to Failover tab, select the specific failover relationship

and click edit. You will see "Change to partner down" button on the edit page. This button is
enabled when the server is running in communication interrupted state.

You have a DNS server that runs Windows Server 2012 R2. The server hosts the zone for
contoso.com and is accessible from the Internet.
You need to create a DNS record for the Sender Policy Framework (SPF) to list the hosts
that are authorized to send email for contoso.com.
Which type of record should you create?
A. mail exchanger (MX)

B. resource record signature (RRSIG)
C. text (TXT)
D. name server (NS)
Answer: C
Explanation:
To configure SPF records in the Windows Server DNS, follow these steps:
✑ Click Start, point to All Programs, point to Administrative Tools, and then click
DNS.
✑ In the left pane, expand the DNS server object, and then expand Forward Lookup
Zones.
✑ Right-click the domain folder to which you want to add the SPF record, and then
click Other New Records.
✑ In the Select a resource record type list, click Text (TXT), and then click Create
Record.
✑ If you add a record for the parent domain, leave the Record name box blank. If you
do not add a record for the parent domain, type the single part name of the domain
in the Record name box.
✑ In the Text box, type v=spf1 mx -all.
✑ Click OK, and then click Done.
Reference: How to configure Sender of Policy Framework records in the Windows Server
2003 Domain Name System
https://support.microsoft.com/en-us/kb/912716
You have a DNS server named Server1 that runs Windows Server 2012 R2.

Server1 has the zones shown in the following output.
You need to delegate permissions to modify the records in the adatum.com zone to a
group named Group1.
A. Enable the distribution of the trust anchors for adatum.com.

B. Unsign adatum.com.
C. Store adatum.com in Active Directory.
D. Update the server data file for adatum.com.
Answer: A
Explanation: From the exhibit we see that the adatum.com zone is signed.
A trust anchor (or trust “point”) is a public cryptographic key for a signed zone. Trust
anchors must be configured on every non-authoritative DNS server that will attempt to
validate DNS data. You cannot distribute trust anchors until after a zone is signed.
Reference: Trust Anchors
contains a domain controller named DC1 and a server named Server1. Both servers run
You configure the classification of a share on Server1 as shown in the Share1 Properties
exhibit. (Click the Exhibit button.)

You configure the resource properties in Active Directory as shown in the Resource
Properties exhibit. (Click the Exhibit button.)

You need to ensure that the Impact classification can be assigned to Share1 immediately.
Which cmdlet should you run on each server?
To answer, select the appropriate cmdlet for each server in the answer area.

Answer:
Explanation:

* Set-AdResourceProperty
The Set-ADResourceProperty cmdlet can be used to modify a resource property in Active
Directory.
* Update-FsrmClassificationPropertyDefinition
The Update-FsrmClassificationPropertyDefinition cmdlet synchronizes the classification
property definitions on the server with the Resource property definitions in Active Directory
Domain Service (AD DS).
contains two Active Directory sites named Site1 and Site2.
You discover that when the account of a user in Site1 is locked out, the user can still log on
to the servers in Site2 for up to 15 minutes by using Remote Desktop Services (RDS).
You need to reduce the amount of time it takes to synchronize account lockout information

across the domain.
Which attribute should you modify?
To answer, select the appropriate attribute in the answer area.
Answer:

Explanation:

Enabling reciprocal replication between two sites involves modifying the options attribute
value on the site link object. With this attribute set on the site link, the KCC creates the
connections across the link with the appropriate setting that is in effect. Use ADSI Edit to
enable reciprocal replication.

Domain controllers run either Windows Server 2008, Windows Server 2008 R2, or
You have a Password Settings object (PSOs) named PSO1.
You need to view the settings of PSO1.

B. Get-ADAccountResultantPasswordReplication Policy
C. Group Policy Management
D. Get-ADDomainControllerPasswordReplication Policy
Answer: A
Explanation:
To implement Fine-Grained Passwords you have to deploy a Windows Server 2012

Domain Controller, with the domain functional level set at Windows Server 2008 or above.
You can now accomplish this task in ADAC (Active Directory Administrative Center).
Editing or viewing a policy is as simple as expanding the AD tree and selecting the correct
policy within the Password Settings container. Right-click Properties; or double-click opens
the policy for editing.
Reference: Guest Post: How to use Fine-Grained Passwords in Windows Server 2012
http://blogs.technet.com/b/uktechnet/archive/2012/08/28/guest-post-how-to-use-fine-
grained-passwords-in-windows-server-2012.aspx
From Server Manager, you install the Active Directory Certificate Services server role on
Server1.
A domain administrator named Admin1 logs on to Server1.

When Admin1 runs the Certification Authority console, Admin1 receives the following error
message.
You need to ensure that when Admin1 opens the Certification Authority console on
Server1, the error message does not appear.
What should you do?
A. Run the Install-AdcsCertificationAuthority cmdlet.

B. Install the Active Directory Certificate Services (AD CS) tools.
C. Modify the PATH system variable.
D. Add Admin1 to the Cert Publishers group.
Answer: B
Explanation:
* Cannot manage Active Directory Certificate Services
The error message is related to missing role configuration.
* Cannot Manage Active Directory Certificate Services

Resolution: configure the two Certification Authority and Certification Authority Web
Enrollment Roles.
* Active Directory Certificate Services (AD CS) is an Active Directory tool that lets
administrators customize services in order to issue and manage public key certificates.
AD CS included:
CA Web enrollment - connects users to a CA with a Web browser

Certification authorities (CAs) - manages certificate validation and issues certificates
Etc.
Incorrect:
Not A. The CA is installed, it just need to be configured correctly.
Note: Install-AdcsCertificationAuthority
The Install-AdcsCertificationAuthority cmdlet performs installation and configuration of the
AD CS CA role service.
Reference: Cannot manage Active Directory Certificate Services in Server 2012 Error
0x800070002; Active Directory Certificate Services (AD CS) Definition
http://searchwindowsserver.techtarget.com/definition/Active-Directory-Certificate-Services-
AD-CS
You deploy a server named Server1 that runs Windows Server 2012 R2.
A local administrator installs the Active Directory Rights Management Services server role
on Server1.
You need to ensure that AD RMS clients can discover the AD RMS cluster automatically.
What should you do?
A. Run the Active Directory Rights Management Services console by using an account that
is a member of the Schema Admins group, and then configure the proxy settings.
B. Run the Active Directory Rights Management Services console by using an account that
is a member of the Schema Admins group, and then register the Service Connection Point
(SCP).
C. Run the Active Directory Rights Management Services console by using an account that
is a member of the Enterprise Admins group, and then register the Service Connection
Point (SCP).
D. Run the Active Directory Rights Management Services console by using an account that

is a member of the Enterprise Admins group, and then configure the proxy settings.
Answer: C
Explanation:
* The Active Directory Rights Management Services (AD RMS) Service Connection Point
(SCP) is an object in Active Directory that holds the web address of the AD RMS
certification cluster. AD RMS-enabled applications use the SCP to discover the AD RMS
service; it is the first connection point for users to discover the AD RMS web services.
* To register the SCP you must be a member of the local AD RMS Enterprise
Administrators group and the Active Directory Domain Services (AD DS) Enterprise Admins
group, or you must have been given the appropriate authority.
Reference: The AD RMS Service Connection Point
Your company has a main office and a branch office.
The main office contains a file server named Server1. Server1 has the BranchCache for
Network Files role service installed. The branch office contains a server named Server2.
Server2 is configured as a BranchCache hosted cache server.
You need to preload the data from the file shares on Server1 to the cache on Server2.
What should you run first?
A. Publish-BCFileContent
B. Add- BCDataCacheExtension
C. Set-BCCache
D. Export-BCCachePackage
Answer: A
Explanation:
See step 2 below.
To prehash content and preload the content on hosted cache servers

✑ Log on to the file or Web server that contains the data that you wish to preload,
and identify the folders and files that you wish to load on one or more remote
hosted cache servers.
✑ Run Windows PowerShell as an Administrator. For each folder and file, run either
the Publish-BCFileContent command or the Publish-BCWebContent command,
depending on the type of content server, to trigger hash generation and to add
data to a data package.
✑ After all the data has been added to the data package, export it by using the
Export-BCCachePackage command to produce a data package file.
✑ Move the data package file to the remote hosted cache servers by using your
choice of file transfer technology. FTP, SMB, HTTP, DVD and portable hard disks
are all viable transports.
✑ Import the data package file on the remote hosted cache servers by using the
Import-BCCachePackage command.
Reference: Prehashing and Preloading Content on Hosted Cache Servers (Optional)
You modify the properties of a system driver and you restart Server1.
You discover that Server1 continuously restarts without starting Windows Server 2012 R2.
You need to start Windows Server 2012 R2 on Server1 in the least amount of time. The
solution must minimize the amount of data loss.
Which Advanced Boot Option should you select?
A. Repair Your Computer

B. Last Known Good Configuration (advanced)
C. Disable Driver Signature Enforcement
D. Disable automatic restart on system failure
Answer: B
Explanation:
Try using Last Known Good Configuration if you can't start Windows, but it started correctly

the last time you turned on the computer.
Reference: Using Last Known Good Configuration
Remote Desktop Session Host role service installed. The computer account of Server1
resides in an organizational unit (OU) named OU1.
You create and link a Group Policy object (GPO) named GPO1 to OU1. GPO1 is
configured as shown in the exhibit. . (Click the Exhibit button.)
*Exhibit is Missing*
You need to prevent GPO1 from applying to your user account when you log on to Server1.
GPO1 must apply to every other user who logs on to Server1.
A. Security Filtering
B. VMI Filtering
C. Block Inheritance
D. Item-level targeting
Answer: A
Explanation:
Security filtering is a way of refining which users and computers will receive and apply the
settings in a Group Policy object (GPO). Using security filtering, you can specify that only
certain security principals within a container where the GPO is linked apply the GPO.
Security group filtering determines whether the GPO as a whole applies to groups, users,
or computers; it cannot be used selectively on different settings within a GPO.
Incorrect:
Not B: Windows Management Instrumentation (WMI) filters allow you to dynamically
determine the scope of Group Policy objects (GPOs) based on attributes of the target
computer.

Reference: Security filtering using GPMC
https://technet.microsoft.com/sv-se/library/Cc781988(v=WS.10).aspx
You have a Dynamic Access Control policy named Policy1.
You create a new Central Access Rule named Rule1.
You need to add Rule1 to Policy1.
Answer:

Explanation:
The Add-ADCentralAccessPolicyMember cmdlet adds central access rules to a central

access policy in Active Directory.
Syntax: Add-ADCentralAccessPolicyMember [-Identity] <ADCentralAccessPolicy> [-

Members] <ADCentralAccessRule[]>
Your network contains an Active Directory domain named adatum.com. You create a new
Group Policy object (GPO) named GPO1.
You need to verify that GPO1 was replicated to all of the domain controllers.
A. Gpupdate
B. Gpresult
C. Group Policy Management

Answer: C
Explanation:
In Windows Server 2012, the Group Policy Management Console (GPMC) was enhanced
to provide a report for the overall health state of the Group Policy infrastructure for a
domain, or to scope the health view to a single GPO.
Reference: Check Group Policy Infrastructure Status
All client computers run Windows 7.
You need to ensure that user settings are saved to \\Server1\Users\.
What should you do?
A. From the properties of each user account, configure the User profile settings.
B. From a Group Policy object (GPO), configure the Folder Redirection settings.
C. From the properties of each user account, configure the Home folder settings.
D. From a Group Policy object (GPO), configure the Drive Maps preferences.
Answer: B
Explanation:
User settings and user files are typically stored in the local user profile, under the Users
folder. The files in local user profiles can be accessed only from the current computer,
which makes it difficult for users who use more than one computer to work with their data
and synchronize settings between multiple computers. Two technologies exist to address
this problem: Roaming Profiles and Folder Redirection.
Folder Redirection lets administrators redirect the path of a folder to a new location. The
location can be a folder on the local computer or a directory on a network file share. Users
can work with documents on a server as if the documents were based on a local drive. The
documents in the folder are available to the user from any computer on the network. Folder

Redirection is located under Windows Settings in the console tree when you edit domain-
based Group Policy by using the Group Policy Management Console (GPMC).
Reference: Folder Redirection Overview
For the contoso.com domain, a company policy states that administrators must be able to
retrieve a list of all the users who have not logged on to the network in the last seven days
from any domain controller.
You need to ensure that the users’ last logon information from the last seven days is
replicated to all of the domain controllers.
A. Set-ADSite
C. Set-ADDomain
E. Set-ADGroup
F. Set-ADForest
G. Netdom

Answer: C
Explanation:
The Set-ADDomain LastLogonReplicationInterval parameter specifies the time, in days,

within which the last logon time of an account must be replicated across all domain
controllers in the domain. This parameter sets the LastLogonReplicationInterval property
for a domain. The LDAP display name (ldapDisplayName) for this property is msDS-
LogonTimeSyncInterval. The last logon replication interval must be at least one day.
Setting the last logon replication interval to a low value can significantly increase domain-
wide replication.
Reference: Technet, Set-ADDomain
contains two member servers named Server1 and Server2 that run Windows Server 2012
R2.
You configure a new failover cluster named Cluster1. Server1 and Server2 are nodes in
Cluster1. You need to configure the disk that will be used as a witness disk for Cluster1.
How should you configure the witness disk?
To answer, drag the appropriate configurations to the correct location or locations. Each
configuration may be used once, more than once, or not at all. You may need to drag the
split bar between panes or scroll to view content.

Answer:

Explanation:
Disk witness requirements include:

* Basic disk with a single volume
* Can be formatted with NTFS or ReFS
contains a domain controller named DC1 and a member server named Server1. All servers
You install the IP Address Management (IPAM) Server feature on Server1.
From the Provision IPAM wizard, you select the Group Policy Based provisioning method
and enter a GPO name prefix of IPAM1.

You need to provision IPAM by using Group Policy.
What command should you run on Server1 to complete the process?
Answer:
Explanation:
The Invoke-IpamGpoProvisioning cmdlet creates and links three group policies specified in
the Domain parameter for provisioning required access settings on the server roles
managed by the computer running the IP Address Management (IPAM) server.

You have a DHCP server named Server1 that runs Windows Server 2012 R2.
You need to configure Server1 as a stateless DHCPv6 server.
A. Add-DHCPServerv6Scope
B. Add-DHCPServerv6OptionDefinition
C. Set-DHCPServerv6Class
D. Set-DHCPServerv6OptionValue
Answer: D
Explanation:
The parameters Parent Domain and IPv6 DNS Server, which the installation wizard asked
for during the DHCP server role installation if you chose “enable stateless mode,” can be
added manually to the Server Options node in the DHCP management console.
The Set-DhcpServerv6OptionValue cmdlet sets an IPv6 option value at the server, scope,
or reservation level.
Reference: The difference between stateless and stateful mode of a Windows Server 2008
R2 DHCPv6 server
https://4sysops.com/archives/the-difference-between-stateless-and-stateful-mode-of-a-
windows-server-2008-r2-dhcpv6-server/
Your network contains one Active Directory domain. The domain contains two Hyper-V
hosts named Host1 and Host2 that run Windows Server 2012 R2.
Host1 contains a virtual machine named VM1.
You plan to move VM1 to Host2.
You need to generate a report that lists any configuration issues on Host2 that will prevent
VM1 from being moved successfully.

A. Move-VM
B. Test-VHD
C. Debug-VM
D. Compare-VM
Answer: C
Explanation:
The Compare-VM cmdlet compares a virtual machine and a virtual machine host for
compatibility, returning a compatibility report. This is useful when trying to import or migrate
a virtual machine that is incompatible with the target Hyper-V server.
Reference: Technet, Compare-VM
Your network contains three servers named HV1, HV2, and Server1 that run Windows
Server 2012 R2. HV1 and HV2 have the Hyper-V server role installed. Server1 is a file
server that contains 3 TB of free disk space.
HV1 hosts a virtual machine named VM1. The virtual machine configuration file for VM1 is
stored in D:\VM and the virtual hard disk file is stored in E:\VHD.
You plan to replace drive E with a larger volume.
You need to ensure that VM1 remains available from HV1 while drive E is being replaced.
You want to achieve this goal by using the minimum amount of administrative effort.
What should you do?
A. Perform a live migration to HV2.

B. Add HV1 and HV2 as nodes in a failover cluster. Perform a storage migration to HV2.
C. Add HV1 and HV2 as nodes in a failover cluster. Perform a live migration to HV2.

D. Perform a storage migration to Server1.
Answer: D
Explanation:
One of the great new features coming in Windows Server 2012 is Storage Migration for
Hyper-V. Storage Migration allows an administrator to relocate the source files that make
up a virtual machine to another location without any downtime.
Storage Migration creates a copy of the file or files at the new location. Once that is
finished, Server 2012 does a final replication of changes and then the virtual machine uses
the files in the new location.
Reference: Windows Server 2012 Hyper-V – Part 3: Storage Migration
You have 3 server named Server1 that runs Windows Server 2012 R2.
You are asked to test Windows Azure Online Backup to back up Server1.
You need to back up Server1 by using Windows Azure Online Backup.
Which four actions should you perform in sequence?
To answer, move the appropriate four actions from the list of actions to the answer area

Answer:
Explanation:
* Getting started with Windows Azure Online Backup is a simple two-step process:
1. Get a free preview Windows Azure Online Backup account (with 300 GB of cloud
storage).
2. Login to the Windows Azure Online Backup portal and download and install the Windows
Azure Online Backup agent for Windows Server 2012 R2 or System Center 2012 SP1 Data
Protection Manager. For Windows Server 2012 R2 Essentials, download and install the
Windows Azure Online Backup integration module.
Once you have installed the agent or integration module you can use the existing user
interfaces for registering the server to the service and setting up online backup.
* Install the Windows Azure Online Backup agent
Before you can begin to use the online protection service, you must download and install
the Windows Azure Online Backup agent on the Data Protection Manager (DPM) server.
You can download the Windows Azure Online Backup agent from the Windows Azure
Online Backup portal.
To registering for online protection (box 4)

After you install the agent on the DPM server, you must register the DPM server for online
protection. Click Register Online Protection on the tool ribbon to start the Windows Azure
Backup Registration wizard.
Etc. (finish the steps in the wizard).
You need to identify which user accounts were authenticated by RODC1.
D. Get-ADDomain
Answer: C
Explanation:
The Get-ADDomainControllerPasswordReplicationPolicyUsage gets the user or computer

accounts that are authenticated by a read-only domain controller (RODC) or that have
passwords that are stored on that RODC. The list of accounts that are stored on a RODC is
known as the revealed list.
Reference: Get-ADDomainControllerPasswordReplicationPolicyUsage

Server1 and Seiver2 are nodes in a Network Load Balancing (NLB) cluster. The NIB cluster
contains an application named App1 that is accessed by using the URL
A. The Stop-NlbCluster cmdlet

B. The nlb.exe stop command
C. The Suspend-NlbCluster cmdlet
D. The nlb.exe suspend command
Answer: A
Explanation:
The Stop-NlbClusterNode cmdlet stops a node in an NLB cluster. When you use the stop
the nodes in the cluster, client connections that are already in progress are interrupted. To
avoid interrupting active connections, consider using the -drain parameter, which allows the
node to continue servicing active connections but disables all new traffic to that node.
You are a member of the local Administrators group on Server2. You install an Active
Directory Rights Management Services (AD RMS) root cluster on Server2.

You need to ensure that the AD RMS cluster is discoverable automatically by the AD RMS
client computers and the users in contoso.com.
Which additional configuration settings should you configure? To answer, select the
appropriate tab in the answer area.
Answer:

Explanation:

* Active Directory Domain Services (AD DS) service connection point (SCP) automatic
service discovery. This is the recommended way to deploy an AD RMS environment. In this
scenario, an SCP is created in the Active Directory forest where the AD RMS cluster is
installed. When the AD RMS client attempts user activation on the computer, it queries the
SCP to find the AD RMS cluster and download the rights account certificate (RAC). With
automatic service discovery, no additional configuration is required on the AD RMS client.
* Cluster - Cluster Properties - SCP Tab

You build a test environment. The test environment contains one Active Directory forest.
The forest contains a single domain named contoso.com. The domain contains the servers
You run the following commands.
New-ADReplicationSubnet -Name “192.168.1.0/24” -Site Site1
New-ADReplicationSubnet -Name “192.168.2.0/24” -Site Site2
New-ADReplicationSiteLink -Name “SiteLink1” –SitesIncluded Site1,Site2 -Cost 100 -

ReplicationFrequencyInMinutes 15
You promote Server3 and Server4 to domain controllers by using the default options.

Answer:
Explanation:
*Replication will only occur between Server3 and Server4.

* Values that can be transferred in one replication cycle (replication of the current set of
updates between a source and destination domain controller): no limit.
You need to enable universal group membership caching for the Europe office and Asia
office sites.
A. Set-ADSite
C. Set-ADDomain
E. Set-ADGroup
F. Set-ADForest
G. Netdom
Answer: B
Explanation:
The Set-ADReplicationSite cmdlet is used to set the properties for an Active Directory site
that is being used for replication.
Parameter: -UniversalGroupCachingEnabled<Boolean>
Indicates whether the cmdlet enables universal group caching. If this parameter is true, it

indicates this site caches universal groups, which are those groups cached on global
catalog (GC) servers. It can be useful in sites with no GC servers available locally.
Reference: Technet, Set-ADReplicationSite
You need to ensure that all Active Directory changes are replicated to all of the domain
controllers in the forest within 30 minutes.
A. Set-ADSite
C. Set-ADDomain
E. Set-ADGroup
F. Set-ADForest
G. Netdom
Answer: B
Explanation:
The Set-ADReplicationSite cmdlet is used to set the properties for an Active Directory site
that is being used for replication. Sites are used in Active Directory to either enable clients
to discover network resources (published shares, domain controllers) close to the physical

location of a client computer or to reduce network traffic over wide area network (WAN)
links. Sites can also be used to optimize replication between domain controllers.
The parameter -ReplicationSchedule<ActiveDirectorySchedule> specifies the default

replication schedule for connections within this site (intra-site replication).
contains an enterprise certification authority (CA).
The domain contains a server named Server1 that runs Windows Server 2012 R2. You
install the Active Directory Federation Services server role on Server1.
You plan to configure Server1 as an Active Directory Federation Services (AD FS) server.
The Federation Service name will be set to adfs1.contoso.com.
You need to identify which type of certificate template you must use to request a certificate
for AD FS.

Answer:
Explanation:

In general installation of ADFS Service is a very straight forward process:

* Create Service Account for ADFS 2.0 Service
* Create Web Server Certificate Template
This step might be optional if you already have a template for Web Server.
Etc.
Server1 fails.
You identify that the master boot record (MBR) is corrupt.
You need to repair the MBR.

A. Bcdedit
B. Bcdboot
C. Bootrec
D. Fixmbr
Answer: C
Explanation:
Repairing an unbootable Windows installation with bootrec.exe

If the boot/recovery partition is corrupted or lost, you can modify your Windows OS partition
to boot.
✑ Boot from your Windows Vista/7/Server2008/R2/2012 media and choose the

"Repair Windows" option.
✑ Open the command prompt.
✑ Using diskpart, mark your Windows partition as bootable.
✑ If your windows partition does not have it, copy the "boot" folder from the
installation media.
✑ Run the following commands:
>c:
>cd boot
>attrib bcd -s -h -r
>ren c:\boot\bcd bcd.old
>bootrec /RebuildBcd
Reboot and Windows should boot normally. If not, return to the command prompt and run:
>bootrec /FixMBR
>bootrec /FixBoot
Incorrect:
Not A. BCDEdit is a command-line tool for managing BCD stores. It can be used for a
variety of purposes, including creating new stores, modifying existing stores, adding boot
menu options, and so on. BCDEdit serves essentially the same purpose as Bootcfg.exe on
earlier versions of Windows
Not B. The BCDboot tool is a command-line tool that enables you to manage system
partition files
Not D. Fixmbr is not a tool. Fixmbr is an option when using the bootrec tool.
Reference: Windows BCD Store
http://www.itsgotme.com/wiki/Windows_BCD

You have a DHCP server named Server1 that runs Windows Server 2012 R2.
Server1 has two scopes named Production and Development. Currently, all DHCP clients
register their host name in a DNS zone named contoso.com.
You need to ensure that only the clients that obtain an IP address from the Development
scope, register their host name in a DNS zone named dev.contoso.com.
What should you do?
A. Run the Set-DHCPServerv4Binding cmdlet.

B. Modify the Advanced settings of the Development scope.
C. Modify the Advanced settings of the DHCP server.
D. Create a DHCP policy for the Development scope.
Answer: D
Explanation:
DHCP policies can be defined server wide or for a specific scope. Any DNS registration
behavior of the DHCP server which can be configured server wide or on a per scope basis
– for example, turn on/off the DNS registration (and deregistration) or DNS name protection
– can be configured on a per policy basis.
Reference: DHCP Policies in Windows Server 2012
http://blogs.technet.com/b/teamdhcp/archive/2012/08/22/granular-dhcp-server-
administration-using-dhcp-policies-in-windows-server-2012.aspx
contains the domain controllers configured as shown in the following table.

The functional level of the domain and the forest is Windows Server 2008.
An administrator named Admin1 is a member of the Domain Admins group.
You need to ensure that Admin1 can deploy a Windows Server 2012 R2 domain controller
to contoso.com.
What should you do?
A. Raise the forest functional level.

B. Run the Set-ADForestMode cmdlet.
C. Raise the domain functional level.
D. Run the adprep.exe command.
E. Demote DC1 to a member server.
F. Upgrade DC1 to Windows Server 2012.
G. Add Admin1 to the Schema Admin Group.
Answer: D,F
Explanation:
Adprep.exe commands run automatically as needed as part of the AD DS installation

process on servers that run Windows Server 2012 or later. The commands need to run in
the following cases:
* Before you add the first domain controller that runs a version of Windows Server that is
later than the latest version that is running in your existing domain.
* Before you upgrade an existing domain controller to a later version of Windows Server, if
that domain controller will be the first domain controller in the domain or forest to run that
version of Windows Server.
Reference: Running Adprep.exe
https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx
You run Get-ISCSIServerTarget and you receive the following output.

Answer:
Explanation:

The Get-IscsiServerTarget command obtains iSCSI targets and their associated properties.
* Usually, an iSCSI participant can be defined by three or four fields:

✑ Hostname or IP Address (e.g., "iscsi.example.com")
✑ Port Number (e.g., 3260)
✑ iSCSI Name (e.g., the IQN "iqn.2003-01.com.ibm:00.fcd0ab21.shark128")
✑ An optional CHAP Secret (e.g., "secretsarefun")
-iSCSI Qualified Name (IQN)

the fields are:
literal iqn (iSCSI Qualified Name)
date (yyyy-mm) that the naming authority took ownership of the domain
reversed domain name of the authority (e.g. org.alpinelinux, com.example, to.yp.cr)
Optional ":" prefixing a storage target name specified by the naming authority.
* -InitiatorId<InitiatorId>
Specifies the iSCSI initiator identifiers (IDs) to which the iSCSI target is assigned.
Use this parameter to filter out the iSCSI Server Target object which can be accessed by
the given iSCSI initiator.
The format of this parameter is IdType:Value.
The acceptable values for this parameter are: DNSName, IPAddress, IPv6Address, IQN, or
MACAddress.
Your network contains one Active Directory domain.
The domain contains an enterprise certification authority (CA).
You need to ensure that members of a group named Group1 can issue certificates for the
User certificate template only.
Which two tabs should you use to perform the configuration? To answer, select the
appropriate tabs in the answer area.

Answer:
Explanation:
To configure certificate manager restrictions for a CA

✑ Open the Certification Authority snap-in, and right-click the name of the CA.
✑ Click Properties, and then click the Security tab.
✑ Verify that the user or group that you have selected has Issue and Manage
Certificates permission. If they do not yet have this permission, select
the Allow check box, and then click Apply.
✑ Click the Certificate Managers tab.
✑ Click Restrict certificate managers, and verify that the name of the group or user is
displayed.
✑ Under Certificate Templates, click Add, select the template for the certificates that
you want this user or group to manage, and then click OK. Repeat this step until
you have selected all certificate templates that you want to allow this certificate
manager to manage.
✑ Under Permissions, click Add, type the name of the client for whom you want the
certificate manager to manage the defined certificate types, and then click OK.
✑ If you want to block the certificate manager from managing certificates for a

specific user, computer, or group, under Permissions, select this user, computer,
or group, and clickDeny.
✑ When you are finished configuring certificate manager restrictions,
click OK or Apply.
You plan to test Windows Server 2012 R2 by using native-boot virtual hard disks (VHDs).
You have a Windows image file named file1.wim.
You need to add an image of a volume to file1.wim.
What should you do?
A. Run imagex.exe and specify the /append parameter.

B. Run imagex.exe and specify the /export parameter.
C. Run dism.exe and specify the /image parameter.
D. Run dism.exe and specify the /append-image parameter.
Answer: D
Explanation:
The Deployment Image Servicing and Management (DISM) tool is a command-line tool that
enables the creation of Windows® image (.wim) files for deployment in a manufacturing or
corporate IT environment. The /Append-Image option appends a volume image to an
existing .wim file allowing you to store many customized Windows images in a fraction of
the space. When you combine two or more Windows image files into a single .wim, any
files that are duplicated between the images are only stored once.
Incorrect:
Not A, not B: ImageX has been flagged by Microsoft as a deprecated utility, and has been
replaced with DISM
Reference: Append a Volume Image to an Existing Image Using DISM
https://technet.microsoft.com/en-us/library/hh824916.aspx

You need to verify whether a DNS response from a DNS server is signed by DNSSEC.
A. nslookup.exe
B. dnscmd.exe
C. Resolve-DNSName
D. Get-NetIPAddress
Answer: C
Explanation:
The Resolve-DnsName cmdlet performs a DNS query for the specified name. This cmdlet
is functionally similar to the nslookup tool which allows users to query for names. The
Resolve-DnsName cmdlet was introduced in Windows Server 2012 and Windows 8 and
can be used to display DNS queries that include DNSSEC data.
Parameters include:
* -DnssecOk
Sets the DNSSEC OK bit for this query.
* -DnssecCd
Sets the DNSSEC checking-disabled bit for this query
Example: In the following example, the DO=1 flag is set by adding the dnssecok
parameter.
PS C:\> resolve-dnsname -name finance.secure.contoso.com -type A -server
dns1.contoso.com -dnssecok
Incorrect:
Not A: Do not use the nslookup command-line tool to test DNSSEC support for a zone. The
nslookup tool uses an internal DNS client that is not DNSSEC-aware.
Reference: Resolve-DnsName
https://technet.microsoft.com/library/jj590781.aspx
Reference: Overview of DNSSEC
https://technet.microsoft.com/en-us/library/jj200221.aspx#validation

A. Server Manager
B. The Certification Authority console
C. Active Directory Administrative Center
Answer: C
You have two servers named Server1 and Server2 that run Windows Server 2012 R2.
You have a Microsoft Azure subscription that has two backup vaults named Vault1 and
Vault2.
Server1 is backed up to Vault1. The backup of Server1 contains a file named Data.db.
Server2 is backed up to Vault2.
You need to recover a copy of Data.db to Server2.

What should you do?
A. From the Azure Management Portal, modify the policies of Vault1. On Server2, run the
Recover Data Wizard.
B. From Server2, modify the logon settings for the Microsoft Azure Recovery Services
Agent service, and then run the Recover Data Wizard.
C. From the Azure Management Portal, allow the re-registration of Server1. On Server2,
modify the Microsoft Azure Backup properties, and then run the Recover Data Wizard.
D. From Server2, copy the Vault1 credentials and the passphrase. Run the Recover data
Wizard.
Answer: D
Explanation:
We need the Vault1 credentials to be able to access the data in Vault1.

We need the passphrase of Server1 to access the backup that was made on Server1.
Reference: Microsoft Azure - Cloud Backup and Recovery
http://blogs.technet.com/b/rmurphy/archive/2014/12/02/microsoft-azure-backup.aspx
You have a server named LON-DC1 that runs Windows Server 2012 R2. An iSCSI virtual
disk named VirtualiSCSI1.vhd exists on LON-DC1 as shown in the exhibit. (Click the
Exhibit button.)

iSCSI target.
What should you do?
A. Run the Set-VirtualDisk cmdlet and specify the -Uniqueld parameter.

B. Run the Add-IscsiVirtualDiskTargetMapping cmdlet and specify the –Lun parameter.
C. Run the iscsicli command and specify the reportluns parameter.
D. Run the Set-IscsiVirtualDisk cmdlet and specify the –DevicePath parameter.
Answer: C
Explanation:
The Add-IscsiVirtualDiskTargetMapping cmdlet assigns a virtual disk to an iSCSI target.

Once a virtual disk has been assigned to a target, and after the iSCSi initiator connects to
that target, the iSCSI initiator can access the virtual disk. All of the virtual disks assigned to
the same iSCSI target will be accessible by the connected iSCSI initiator.
Parameter include: -Lun<Int32>

Specifies the logical unit number (LUN) associated with the virtual disk. By default, the
lowest available LUN number will be assigned.
Reference: Add-IscsiVirtualDiskTargetMapping
https://technet.microsoft.com/en-us/library/jj612800(v=wps.630).aspx
contains 10 file servers that run Windows Server 2012 R2.
You plan to enable BitLocker Drive Encryption (BitLocker) for the for the operating system
drives of the file servers.

You need to configure BitLocker policies for the file servers to meet the following
requirements:
✑ Ensure that all of the servers use a startup PIN for operating system drives
encrypted with BitLocker.
✑ Ensure that the BitLocker recovery key and recovery password are stored in Active
Directory.
Which two Group Policy settings should you configure? To answer, select the appropriate
settings in the answer area.
Answer:
Explanation:

Choice 1: Require additional authentication at startup

Choice 2: Choose how BitLocker-protected operating system drives can be recovered
* Choice 1: Require additional authentication at startup

This policy setting is used to control which unlock options are available for operating
system drives.
You can set this option to Require startup PIN with TPM
Choice 2: Choose how BitLocker-protected operating system drives can be recovered
This policy setting is used to configure recovery methods for operating system drives.
In Save BitLocker recovery information to Active Directory Domain Services, choose which
BitLocker recovery information to store in Active Directory Domain Services (AD DS) for
operating system drives. If you select Store recovery password and key packages, the
BitLocker recovery password and the key package are stored in AD DS. Storing the key
package supports recovering data from a drive that is physically corrupted. If you select
Store recovery password only, only the recovery password is stored in AD DS.
Your network contains an Active Directory domain named corp.contoso.com.
You deploy Active Directory Rights Management Services (AD RMS).
You have a rights policy template named Template1. Revocation is disabled for the

template.
A user named User1 can open content that is protected by Template1 while the user is
connected to the corporate network.
When User1 is disconnected from the corporate network, the user cannot open the
protected content even if the user previously opened the content.
You need to ensure that the content protected by Template1 can be opened by users who
are disconnected from the corporate network.
What should you modify?
A. The User Rights settings of Template1

B. The templates file location of the AD RMS cluster
C. The Extended Policy settings of Template1
D. The exclusion policies of the AD RMS cluster
Answer: C
Explanation:
* The extended rights policy of a template controls how content licenses are to be
implemented. The extended rights policy template settings are specified by using the Active
Directory Rights Management Services (AD RMS) administration site. The available
settings control persistence of author rights, whether trusted browsers are supported,
license persistence within the content, and enforcement of any application-specific data.
* You can add trust policies so that AD RMS can process licensing requests for content
that was rights protected.
Reference: Extended Policy Template Information; AD RMS and Server Design
You have a cluster named Cluster1 that contains two nodes. Both nodes run Windows
Server 2012 R2. Cluster1 hosts a virtual machine named VM1 that runs Windows Server

2012 R2.
You configure a custom service on VM1 named Service1.
You need to ensure that VM1 will be moved to a different node if Service1 fails.
Which cmdlet should you run on Cluster1?
A. Add-ClusterVmMonitoredItem
B. Set-ClusterResourceDependency
C. Enable- VmResourceMetering
D. Add-ClusterGenericServiceRole
Answer: A
Explanation:
* The Add-ClusterVMMonitoredItem cmdlet configures monitoring for a service or an Event

Tracing for Windows (ETW) event so that it is monitored on a virtual machine. If the service
fails or the event occurs, then the system responds by taking an action based on the
failover configuration for the virtual machine resource. For example, the configuration might
specify that the virtual machine be restarted or failover.
* The decision on whether to failover or restart on the same node is configurable and
determined by the failover properties for the virtual machine.
Reference: Add-ClusterVMMonitoredItem
contains a certification authority (CA).
You suspect that a certificate issued to a Web server is compromised.
You need to minimize the likelihood that users will trust the compromised certificate.

Choose two.)
A. Stop the Certificate Propagation service.

B. Modify the validity period of the Web Server certificate template.
C. Run certutil and specify the -revoke parameter.
D. Run certutil and specify the -deny parameter.
E. Publish the certificate revocation list (CRL).
Answer: C,E
Explanation:
First revoke the certificate, then publish the CRL.
Active Directory Rights Management Services server role installed.
The domain contains a domain local group named Group1.
You create a rights policy template named Template1. You assign Group1 the rights to
Template1.
You need to ensure that all the members of Group1 can use Template1.
What should you do?
A. Configure the email address attribute of Group1.

B. Convert the scope of Group1 to global.
C. Convert the scope of Group1 to universal.
D. Configure the email address attribute of all the users who are members of Group1.
Answer: D
Explanation:
When a user or group is created in Active Directory, the mail attribute is an optional
attribute that can be set to include a primary email address for the user or group. For AD

RMS to work properly, this attribute must be set because all users must have an email
attribute to protect and consume content.
Reference: AD RMS Troubleshooting Guide
http://social.technet.microsoft.com/wiki/contents/articles/13130.ad-rms-troubleshooting-
guide.aspx
You have a server named Server2 that runs Windows Server 2012 R2. You have storage
provisioned on Server2 as shown in the exhibit. (Click the Exhibit button.)
You need to configure the storage so that it appears in Windows Explorer as a drive letter
on Server1.
Which three actions should you perform in sequence? To answer, move the three
appropriate actions from the list of actions to the answer area and arrange them in the
correct order.

Answer:
Explanation:

Step 1 (on Server2): Target: It is an object which allows the iSCSI initiator to make a
connection. The Target keeps track of the initiators which are allowed to be connected to it.
The Target also keeps track of the iSCSI virtual disks which are associated with it. Once
the initiator establishes the connection to the Target, all the iSCSI virtual disks associated
with the Target will be accessible by the initiator.
Step 2 (on server 1): Configure iSCSI initiator to logon the Target
Once the iSCSI Virtual disk is created and assigned, it is ready for the initiator to logon.
Note: Typically, the iSCSI initiator and iSCSI Target are on different machines (physical or
virtual). You will need to provide the iSCSI Target server IP or host name to the initiator,
and the initiator will be able to do a discovery of the iSCSI Target.
Step 3 (on server1): Create new volume
Once the connection is established, the iSCSI virtual disk will be presented to the initiator
as a disk. By default, this disk will be offline. For typical usage, you want to create a
volume, format the volume and assign with a drive letter so it can be used just like a local
hard disk.
contains a server named Server1 that runs Windows Server 2012 R2. Server1 has an
enterprise root certification authority (CA) for contoso.com.
You deploy another member server named Server2 that runs Windows Server 2012 R2
and has the Web Server (IIS) server role installed.
You need to designate a website on Server1 as the certificate revocation list (CRL)
distribution point for the CA. The solution must ensure that CRLs are published
automatically to Server2.
Choose two.)

A. Create an http:// CRL distribution point (CDP) entry.
B. Configure a CA exit module.
C. Create a file:// CRL distribution point (CDP) entry.
D. Configure a CA policy module.
E. Configure an enrollment agent.
Answer: A,D
Explanation:
A. To specify CRL distribution points in issued certificates

✑ Open the Certification Authority snap-in.
✑ In the console tree, click the name of the CA.
✑ On the Action menu, click Properties , and then click the Extensions tab. Confirm
that Select extension is set to CRL Distribution Point (CDP) .
✑ Do one or more of the following. (The list of CRL distribution points is in the
Specify locations from which users can obtain a certificate revocation list (CRL)
box.)
/ To indicate that you want to use a URL as a CRL distribution point

Click the CRL distribution point, select the Include in the CDP extension of issued
certificates check box, and then click OK .
✑ Click Yes to stop and restart Active Directory Certificate Services (AD CS).
D. You can specify CRL Distribution Points (CDPs) in CAPolicy.inf. Note that any CDP in
CAPolicy.inf will take precedence for certificate verifiers over the CDP's specified in the CA
policy module.
Note:
CRLDistributionPoint
You can specify CRL Distribution Points (CDPs) for a root CA certificate in the CAPolicy.inf.
This section does not configure the CDP for the CA itself. After the CA has been installed
you can configure the CDP URLs that the CA will include in each certificate that it issues.
The URLs specified in this section of the CAPolicy.inf file are included in the root CA
certificate itself.
Example:
[CRLDistributionPoint]
URL=http://pki.wingtiptoys.com/cdp/WingtipToysRootCA.crl
You configure the nodes to use the port rule shown in the exhibit. (Click the Exhibit button.)

You need to configure the NLB cluster to meet the following requirements:
✑ HTTPS connections must be directed to Server1 if Serverl is available.

✑ HTTP connections must be load balanced between the two nodes.
Which three actions should you perform? {Each correct answer presents part of the
solution. Choose three.
A. From the host properties of Server2, set the Handling priority of the existing port rule to
2.
B. Create a port rule for TCP port 80. Set the Filtering mode to Multiple host and set the
Affinity to None.
C. Create an additional port rule for TCP port 443. Set the Filtering mode to Multiple host
and set the Affinity to Single.
D. From the host properties of Server1, set the Handling priority of the existing port rule to

2.
E. From the host properties of Server2, set the Priority (Unique host ID) value to 1.
F. From the host properties of Server1, set the Handling priority of the existing port rule to
1.
Answer: A,B,F
Explanation:
Multiple hosts. This parameter specifies that multiple hosts in the cluster handle network
traffic for the associated port rule. This filtering mode provides scaled performance in
addition to fault tolerance by distributing the network load among multiple hosts. You can
specify that the load be equally distributed among the hosts or that each host handle a
specified load weight.
Note: Handling priority: When Single host filtering mode is being used, this parameter
specifies the local host's priority for handling the networking traffic for the associated port
rule. The host with the highest handling priority (lowest numerical value) for this rule among
the current members of the cluster will handle all of the traffic for this rule. The allowed
values range from 1, the highest priority, to the maximum number of hosts allowed (32).
This value must be unique for all hosts in the cluster.
Reference: Network Load Balancing parameters.
the domain controllers configured as shown in the following table.
You perform the following actions:
✑ Create a file named File1.txt in the SYSVOL folder on DC1.

✑ Create a user named User1 on DC4.
You need to identify on which domain controller or controllers a copy of each object is
stored.
What should you identify? To answer, select the appropriate options in the answer area.
Answer:
Your network contains an Active Directory domain named adatum.com. All servers run
Windows Server 2012 R2. All domain controllers have the DNS Server server role installed.
You have a domain controller named DC1.
On DC1, you create an Active Directory-integrated zone named adatum.com and you sign
the zone by using DNSSEC.
You deploy a new read-only domain controller (RODC) named RODC1.
You need to ensure that the contoso.com zone replicates to RODC1.

What should you configure on DC1?
To answer, select the appropriate tab in the answer area.
Answer:

Explanation:

For additional servers to host a zone, zone transfers are required to replicate and
synchronize all copies of the zone used at each server configured to host the zone.


access the website.
What should you do?
A. Run Set-DnsServerScavenging.
B. Run ipconfig and specify the FlushDns parameter.
C. RunSet-DnsServerResourceReeordAging.
D. Run dnscmd and specify the ClearCache parameter.
Answer: D
Explanation:
Clear the DNS cache on the DNS server with either Dnscmd /ClearCache (from command
prompt) or Clear-DnsServerCache (from Windows PowerShell).
Reference: Technet, Dnscmd
contains two Active Directory sites named Site1 and Site2.
You need to configure the replication between the sites to occur by using change
notification.
Which attribute should you modify?

Answer:

Explanation:

Active Directory Replication Change Notification

* Right-click the site link object for the sites for which you want to enable change
notification, and then click Properties.
* In the Select a property to view box, select options.

http://blogs.msdn.com/resized-image.ashx/__size/250x0/__key/communityserver-blogs-
components-weblogfiles/00-00-01-19-00/8623.3-options.JPG
* In the Edit Attribute box, if the Value(s) box shows <not set> , type 1 in the Edit Attribute
box.
http://blogs.msdn.com/resized-image.ashx/__size/250x0/__key/communityserver-blogs-
components-weblogfiles/00-00-01-19-00/4520.4-option-set.JPG

* Click OK.
You perform daily backups of the data on Server1 to Microsoft Azure.
You need to restore the data from the last backup of Server1 to Server2.
A. On Server2, install the Azure Backup Agent.

B. From the Azure Management Portal, modify the configuration of the backup vault.
C. In the domain, add Server2 to the Backup Operators group.
D. On Server2, install the windows Server Backup feature.
Answer: B
Explanation:
We need the Vault credentials to be able to access the data in Vault1.
cluster contains an application named App1 that is accessed by using the name
appl.contoso.com.

The NLB cluster has the port rules configured as shown in the exhibit. (Click the Exhibit
button.)
To answer, complete each statement according to the information presented in the exhibit.

Answer:
Explanation:
* Port 80 is in Single mode.

* An HTTP session is a sequence of network request-response transactions. An HTTP
client initiates a request by establishing a Transmission Control Protocol (TCP) connection
to a particular port on a server (typically port 80, occasionally port 8080.

A user named User1 is a member of the local Administrators group on Node1 and Node2.
User1 creates a new clustered File Server role named File1 by using the File Server for
general use option.
A report is generated during the creation of File1 as shown in the exhibit. (Click the Exhibit
button.)

File1 fails to start.
You need to ensure that you can start File1.
What should you do?

A. Log on to the domain by using the built-in Administrator for the domain, and then
recreate the clustered File Server role by using the File Server for general use option.
B. Assign the user account permissions of User1 to the Servers OU.
C. Assign the computer account permissions of Cluster2 to the Servers OU.
D. Increase the value of the ms-DS-MachineAccountQuota attribute of the domain.
E. Recreate the clustered File Server role by using the File Server for scale-out application
data option.
Answer: B
Explanation:
Scenario: You have created a Windows Server 2012 Scale-Out File Server. The cluster,
including the network and storage, pass the cluster validation test. Everything looks and is
good. You create a File Server role for application data (SOFS) but it fails to start.
Problem: Basically, the cluster needs permissions to create a computer object (for the
SOFS) in the same Active Directory OU that the cluster object (Demo-FSC1) is stored in.
Resolution: Reconfigure the permissions on the Servers OU.

In this case we assign the user account permissions of User1 to the Servers OU.
Reference: Scale-Out File Server Role Fails To Start With Event IDs 1205, 1069, and 1194
http://www.aidanfinn.com/?p=14142
contains four member servers named Server1, Server2, Server3, and Server4. Server1
and Server2 run Windows Server 2008 R2.
Server1 and Server2 have the Hyper-V server role and the Failover Clustering feature
installed. Failover
Clustering is configured to provide highly available virtual machines by using a cluster

named Cluster1.
Cluster1 hosts 10 virtual machines.

Server3 and Server4 run Windows Server 2012 R2.
You install the Hyper-V server role and the Failover Clustering feature on Server3 and
Server4. You create a cluster named Cluster2.
You need to migrate cluster resources from Cluster1 to Cluster2. The solution must
minimize downtime on the virtual machines.
Which five actions should you perform?
To answer, move the appropriate five actions from the list of actions to the answer area
Answer:

Explanation:
1. Move Highly Available (Clustered) VMs to Windows Server 2012 with the Cluster
Migration Wizard
On the Windows Server 2012 cluster – the target cluster - from the Failover Cluster
Manger, select a cluster and then use the More Actions | Migrate Roles… menu to
launch the Cluster Migration Wizard:

clip_image002
2. Shutdown all VMs on the source Windows Server 2008 R2 cluster that have been
migrated.
3. Unmask the common shared storage (LUNs) so that they are not presented to the
Windows Server 2008 R2source cluster
4. Mask the common shared storage (LUNs) to the Windows Server 2012 target cluster.
5. Start all VMs on the target Windows Server 2012 cluster.
contains a server named CA1 that runs Windows Server 2012 R2. CA1 has the Active
Directory Certificate Services server role installed and is configured to support key archival
and recovery.
You need to ensure that a user named User1 can decrypt private keys archived in the
Active Directory Certificate Services (AD CS) database. The solution must prevent User1
from retrieving the private keys from the AD CS database.
What should you do?
A. Assign User1 the Issue and Manage Certificates permission to CA1.

B. Assign User1 the Read permission and the Write permission to all certificate templates.
C. Provide User1 with access to a Key Recovery Agent certificate and a private key.
D. Assign User1 the Manage CA permission to CA1.
Answer: C
Explanation:
Understanding the Key Recovery Agent Role

KRAs are Information Technology (IT) administrators who can decrypt users’ archived
private keys. An organization can assign KRAs by issuing KRA certificates to designated
administrators and configure them on the CA. The KRA role is not one of the default roles
defined by the Common Criteria specifications but a virtual role that can provide separation
between Certificate Managers and the KRAs. This allows the separation between the
Certificate Manager, who can retrieve the encrypted key from the CA database but not
decrypt it, and the KRA, who can decrypt private keys but not retrieve them from the CA
database.
Reference: Understanding User Key Recovery
You have a server named Server1.
A Microsoft Azure Backup of Server1 is created automatically every day.
You rename Server1 to Server2.
You discover that backups are no longer created in Azure.
You need to back up the server to Azure.
What should you do?
A. From the Azure Management Portal, modify the configuration of backup vault.
B. On Server2, run the Add-WBBackupTarget cmdlet.
C. On Server2, run the Start-OBRegistration cmdlet.
D. From the Azure Management Portal, upload the Server2 certificate as a management
certificate.
Answer: C

Explanation:
The Start-OBRegistration cmdlet registers the server with using the vault credentials
downloaded during enrollment.
Reference: Azure Backup – FAQ
https://azure.microsoft.com/sv-se/documentation/articles/backup-azure-backup-faq/
Reference: Start-OBRegistration
Server1 is an enterprise root certification authority (CA) for contoso.com.
You need to ensure that the members of a group named Group1 can request code signing
certificates. The certificates must be issued automatically to the members.
Choose two.)
A. From Certificate Templates, modify the certificate template.

B. From Certification Authority, add a certificate template to be issued.
C. From Certificate Authority, modify the CA properties.
D. From Certificate Templates, duplicate a certificate template.
E. From Certificate Authority, stop and start the Active Directory Certificate Services (AD
CS) service.
Answer: A,D
Explanation:
Best Practices include: Duplicate new templates from existing templates closest in function
to the intended template.

New certificate templates are duplicated from existing templates. Many settings are copied
from the original template. Because of this, duplicating one template to another of a totally
different type may carry over some unintended settings. When duplicating a template,
examine the subject type of the original template and ensure that you duplicate one that
has a similar function to that of the intended template. Although most settings for certificate
templates can be edited once the template is duplicated, the subject type cannot be
changed.
Reference: Deploying Certificate Templates
https://technet.microsoft.com/en-us/library/cc770794%28v=ws.10%29.aspx
contains two servers named Server1 and Server2 that run Windows Server 2012 R2. All
domain computers have certificates that are issued by a certification authority (CA) named
Contoso CA.
A user named User1 performs daily backups of the data on Server1 to a backup vault
named Vault1. A user named User2 performs daily backups of the data on Server2 to a
vault named Vault2.
You have the administrative credentials for Server2.
You need to restore the data from that last backup of Server1 to Server2.
Which two pieces of information do you require to complete the task? Each correct answer
presents part of the solution.
A. the Microsoft Azure subscription credentials

B. the Vault2 credentials
C. the User1 credentials
D. the Vault1 credentials
E. the Server1 certificate
F. the Server2 certificate

G. the Server1 passphrase
H. the Server2 passphrase
Answer: D,G
Explanation:
We need the Vault1 credentials to be able to access the data in Vault1.

We need the passphrase of Server1 to access the backup that was made on Server1.
Windows Server 2012 R2 is installed on volume C.
You need to ensure that Safe Mode with Command Prompt loads the next time Server1
restarts.
A. The Restart-Server cmdlet

B. The Bootcfg command
C. The Restart-Computer cmdlet
D. The Bcdedit command
Answer: D
Explanation:
How To Force Windows To Restart in Safe Mode

1. Open Advanced Startup Options in Windows 8
2. Open Command Prompt.
3. With Command Prompt open, execute the correct bcdedit command as shown below
based on which Safe Mode option you'd like to start:

Safe Mode:
bcdedit /set {default} safeboot minimal
http://pcsupport.about.com/od/repair-recovery/a/force-or-stop-safe-mode-windows.htm
four domains. All servers run Windows Server 2012 R2.
Each domain has a user named User1.
You have a file server named Server1 that is used to synchronize user folders by using the
Work Folders role service.
Server1 has a work folder named Sync1.
You need to ensure that each user has a separate folder in Sync1.
What should you do?
A. From Windows Explorer, modify the Sharing properties of Sync1.

B. Run the Set-SyncServerSetting cmdlet.
C. From File and Storage Services in Server Manager, modify the properties of Sync1.
D. Run the Set-SyncShare cmdlet.
Answer: D
Explanation:
The Set-SyncShare cmdlet modifies the settings for a sync share.
Example: Modify a sync share to add a user group

This example modifies settings on the share named Share01, and enables the user group
named ContosoEngGroup to access the share.
The first command uses the Get-SyncShare cmdlet to retrieve the sync share for Share01,
and assigns the results to the variable $Current.

The second command uses the Set-SyncShare cmdlet to modify the sync share and add
the current user and the ContosoEngGroup to the list of users allowed to access the share.
PS C:\> $Current = Get-SyncShare Share01

PS C:\> Set-SyncShare Share01 -User $Current.user,"ContosoEngGroup"
PS C:\> Get-SyncShare Share01 // See %username below% !!
ConflictResolutionPolicy : KeepLatest
Description :
DevicePolicy : Share01
Enabled : True
ExclusiveAccessToUser : False
Name : Share01
Path : K:\Share01
StagingFolder : K:\EcsStagingArea\Share01
StagingQuota : 1099511627776
StagingQuotaPerUser : 10737418240
Type : User Data
User : {HRGroup, EngGroup}
UserFolderName : %username% // <-- This line!!
PSComputerName
Reference: Set-SyncShare
http://technet.microsoft.com/en-US/library/dn296649.aspx
contains two servers named Server1 and Server2. Both servers have the Hyper-V server
role installed.
You plan to replicate virtual machines between Server1 and Server2. The replication will be
encrypted by using Secure Sockets Layer (SSL).
You need to request a certificate on Server1 to ensure that the virtual machine replication
is encrypted.

Which two intended purposes should the certificate for Server1 contain? (Each correct
answer presents part of the solution. Choose two.)
A. Client Authentication
B. Kernel Mode Code Signing
C. Server Authentication
D. IP Security end system
E. KDC Authentication
Answer: A,C
Explanation:
You need to use certificate-based authentication if you want transmitted data to be

encrypted.
Replica Server Certificate Requirements
To enable a server to receive replication traffic, the certificate in the replica server must
meet the following conditions
* Enhanced Key Usage must support both Client and Server authentication
Etc.
Reference: Hyper-V Replica - Prerequisites for certificate based deployments
http://blogs.technet.com/b/virtualization/archive/2012/03/13/hyper-v-replica-certificate-
requirements.aspx
You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the
You need to store the contents of all the DNS queries received by Server1.
A. Logging from Windows Firewall with Advanced Security

B. Debug logging from DNS Manager
C. A Data Collector Set (DCS) from Performance Monitor

D. Monitoring from DNS Manager
Answer: B
Explanation:
Debug logging allows you to log the packets sent and received by a DNS server. Debug
logging is disabled by default, and because it is resource intensive, you should only
activate it temporarily when you need more specific detailed information about server
performance.
Reference: Active Directory 2008: DNS Debug Logging Facts…
Your network contains two servers named Server1 and Server 2. Both servers run
Windows Server 2012 R2 and have the Hyper-V server role installed.
Server1 hosts a virtual machine named VM1. The virtual machine configuration files and
the virtual hard disks for VM1 are stored in D: \VM1.
You shut down VM1 on Server1.
You copy D:\VM1 to D:\VM1 on Server2.
You need to start VM1 on Server2. You want to achieve this goal by using the minimum
amount of administrative effort.
What should you do?
A. Run the Import-VMIntialReplication cmdlet.

B. Create a new virtual machine on Server2 and attach the VHD from VM1 to the new
virtual machine.
C. From Hyper-V Manager, run the Import Virtual Machine wizard.
D. Run the Import-IscsiVirtualDisk cmdlet.
Answer: C
Explanation:

Starting in Windows Server 2012, you no longer need to export a virtual machine to be able
to import it. You can simply copy a virtual machine and its associated files to the new host,
and then use the Import Virtual Machine wizard to specify the location of the files. This
registers the virtual machine with Hyper-V and makes it available for use.
In addition to the wizard, the Hyper-V module for Windows PowerShell includes cmdlets for
importing virtual machines. For more information, see Import-VM
Reference: Overview of exporting and importing a virtual machine
Your network contains one Active Directory domain named contoso.com.
From the Group Policy Management console, you view the details of a Group Policy object
(GPO) named GPO1 as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that the comments field of GPO1 contains a detailed description of
GPO1.
What should you do?
Exhibit: * Missing*
A. From Group Policy Management, click View, and then click Customize.
B. From Active Directory Users and Computers, edit the properties of
contoso.com/System/Policies/{229DCD27-9D98-ACC2-A6AE –ED765F065FF5}.
C. Open GPO1 in the Group Policy Management Editor, and then modify the properties of
GPO1.
D. From Notepad, edit \\contoso.com\SYSVOL\contoso.com\Policies\{229DCD27-9D98-
ACC2-A6AE –ED765F065FF5}\gpt.ini.
Answer: C
Explanation:
You can include comments for each Group Policy object. You can use this space to
document the Group Policy object and why its implementation is important to your
environment. Commenting GPOs allows you to later use keyword filter to help you quickly

find GPOs with matching keywords.
Adding a comment to a Group Policy object
✑ Open the Group Policy Management Console. Expand the Group Policy Objects
node.
✑ Right-click the Group Policy object you want to comment and then click Edit .
✑ In the console tree, right-click the name of the Group Policy object and then click
Properties .
✑ Click the Comment tab.
✑ Type your comments in the Comment box.
✑ Click OK
Reference: Comment a Group Policy Object
You need to disable recursion on Server1.
What are three possible ways to achieve the goal? Each correct answer presents a
complete solution.
A. From DNS Manager, modify the Advanced properties of Server1.

B. Create a forward lookup zone named GlobalNames.
C. From DNS Manager, modify the Forwarders properties of server1.
D. Create a reverse lookup zone named 0.in-addr.arpa.
E. Create a forward lookup zone named “.”.
F. Run dns.cmd.exe and specify the /config parameter.
Answer: A,E,F
Explanation:
A: To disable recursion on the DNS server using the Windows interface

✑ In the console tree, right-click the applicable DNS server, then click Properties.
✑ Click the Advanced tab.
✑ In Server options, select the Disable recursion check box, and then click OK.

E: Disable recursion on DNS servers that do not respond to DNS clients directly and that
are not configured with forwarders. A DNS server requires recursion only if it responds to
recursive queries from DNS clients or if it is configured with a forwarder. DNS servers use
iterative queries to communicate with each other.
The DNS server has root DNS servers in its configuration so it returns the root DNS server
details each time it is queried for a non existent domain name. To prevent this we need to
create a forward lookup zone with the name “.”
F: To disable recursion on the DNS server using a command line

✑ Open a command prompt.
✑ Type the following command, and then press ENTER:
dnscmd <ServerName> /Config /NoRecursion {1|0}
Reference: Disable Recursion on the DNS Server
Reference: Setting up an authoritative DNS in Windows Server 2008
http://websistent.com/authoritative-dns-in-windows-server-2008/
You have a group Managed Service Account named Service01. Three servers named
Server01, Server02, and Server03 currently use the Service01 service account.
You plan to decommission Server01.
You need to remove the cached password of the Service01 service account from Server01.
The solution must ensure that Server02 and Server03 continue to use Service01.
A. Set-ADServiceAccount
B. Reset-ADServiceAccountPassword
C. Remove-ADServiceAccount
D. Uninstall-ADServiceAccount
Answer: B
Explanation:
We reset the password for the service.

The Reset-ADServiceAccountPassword cmdlet resets the service account password for
the local computer. This cmdlet needs to be run on the computer where the service
account is installed.
Incorrect:
Not A: The Set-ADServiceAccount cmdlet cannot modify the password of the service.
Reference: Reset-ADServiceAccountPassword
You need to prevent administrators from accidentally deleting any of the sites in the forest.
A. Set-ADSite
C. Set-ADDomain
E. Set-ADGroup
F. Set-ADForest
G. Netdom
Answer: B
Explanation:

The Set-ADReplicationSite sets the replication properties for an Active Directory site.
Parameter: -ProtectedFromAccidentalDeletion<Boolean>
Specifies whether to prevent the object from being deleted. When this property is set to
$True, you cannot delete the corresponding object without changing the value of the
property. The acceptable values for this parameter are:
-- $False or 0
-- $True or 1
contains two DHCP servers named DHCP1 and DHCP2 that run Windows Server 2012 R2.
You install the IP Address Management (IPAM) Server feature on a member server named
Server1 and you run the Run Invoke-IpamGpoProvisioning cmdlet.
You need to manage the DHCP servers by using IPAM on Server1.
Which three actions should you perform?
To answer, move the three appropriate actions from the list of actions to the answer area

Answer:
Explanation:
Box 1: Provision the IPAM server.
Box 2: Configure server discovery.
Box 3: Set the manageability status of the server.

You have a server named Server1 that runs Windows Server 2012 R2. The volumes on
Server1 are configured as shown in the following table.
A new corporate policy states that backups must use Windows Azure Online Backup
whenever possible.
You need to identify which backup methods you must use to back up Server1. The solution
must use Windows Azure Online Backup whenever possible.
Which backup type should you identify for each volume?
To answer, select the appropriate backup type for each volume in the answer area.

Answer:
Explanation:

Box 1: Windows Server Backup

Volume1 is NTFS and on a fixed disk, but Bitlocker is used.
Windows Azure Online Backup cannot backup volume that has Bitlocker.
Box 2: Windows Azure Online Backup

Volume2 is NTFS, on a fixed disk, and Bitlocker is not used.
Windows Azure Online Backup can be used.
Volume3 is not on a fixed disk. It is on a USB disk.
Additionally bitlocker is used.
Windows Azure Online Backup cannot be used.
Volume3 is not on a fixed disk. It is on a USB disk.
Windows Azure Online Backup cannot be used.
Note: You can use Microsoft Azure Backup to back up content stored on fixed NTFS
volumes. It cannot be used in the following situations:
Volume is locked by BitLocker Drive Encryption. If BitLocker is enabled on the volume, the
volume must be unlocked before it can be backed up.
Drive type is not fixed.
Volume is not formatted with NTFS.

Volume is read-only.
Volume is not currently online.
Volume is on a network share.
contains a DNS server named Server1. Server1 is configured to resolve single-label names
for DNS clients.
You need to view the number of queries for single-label names that are resolved by
Server1.
Answer:

Explanation:
* The Get-DnsServerStatistics cmdlet retrieves statistics of a Domain Name System (DNS)

server. If the ZoneName parameter is specified, this cmdlet gets statistics for the zones
specified by that parameter.
* To help network administrators migrate to DNS for all name resolution, the DNS Server
role in Windows Server 2008 (and later) supports a specially named zone, called
GlobalNames. By deploying a zone with this name, you can have the static, global records
with single-label names, without relying on WINS. These single-label names typically refer
to records for important, well-known and widely-used servers—servers that are already
assigned static IP addresses and that are currently managed by IT-administrators using
WINS.

R2. Both servers have the Hyper-V server role installed.
The network contains an enterprise certification authority (CA). All servers are enrolled
automatically for a certificate-based on the Computer certificate template.
On Server1, you have a virtual machine named VM1. VM1 is replicated to Server2.
You need to encrypt the replication of VM1.
Choose two.)
A. On Server1, modify the Hyper-V Settings.

B. On Server2, modify the settings of VM1.
C. On Server2, modify the Hyper-V Settings.
D. On Server1, modify the settings of VM1.
E. On Server1, modify the settings of the virtual switch to which VM1 is connected.
F. On Server2, modify the settings of the virtual switch to which VM1 is connected.
Answer: B,C
Explanation:
B. Each virtual machine that is to be replicated must be enabled for replication (on the
replica server – Server2).
C. To configure the Replica server (here Server2)

✑ In the Authentication and ports section, select the authentication method. For
either authentication method, specify the port to be used (the default ports are 80
for Kerberos over HTTP and 443 for certificate-based authentication over HTTPS).
✑ If you are using certificate-based authentication, click Select Certificate and
provide the request certificate information.
Etc
Reference: Deploy Hyper-V Replica Step 2: Enable Replication

contains an IP Address Management (IPAM) server that uses a Windows Internal
Database.
You install a Microsoft SQL Server 2012 instance on a new server.
You need to migrate the IPAM database to the SQL Server instance.
A. Disable-IpamCapability
B. Set-IpamConfiguration
C. Update-IpamServer
D. Move-IpamDatabase
Answer: D
Explanation:
The Move-IpamDatabase cmdlet migrates the IP Address Management (IPAM) database

to a Microsoft SQL Server database. You can migrate from Windows Internal Database
(WID) or from a SQL Server database. The cmdlet creates a new IPAM schema and copies
all data from the existing IPAM database. After the cmdlet completes copying data, it
changes IPAM configuration settings to refer to the new database as the IPAM database.
Reference: Move-IpamDatabase
Your network contains one Active Directory forest named adatum.com. The forest contains
a single domain.
The forest contains the domain controllers configured as shown in the following table.

Recently, a domain controller named DC4 was deployed to adatum.com. DC4 is in the
Default-First-Site-Name site.
The adatum.com site links are configured as follows.
The schedule for SiteLink1 is shown in the SiteLink1 exhibit. (Click the Exhibit button.)

The schedule for SiteLink2 is shown in the SiteLink2 exhibit. (Click the Exhibit button.)
For each of the following statements, select Yes if the statement is true. Otherwise, select
No.
Answer:
Explanation:

* SiteLink1 replication is not available at 10:00.

* SiteLink1 and SiteLink2 replication is available at Friday at 23:00. Replication intervals
are 15 minutes and 30 minutes respectively.
* DefaultIPSitelink will be used to replicate an object from DC1 to DC4. The replication
interval of DefaultIPSitelink is 180 minutes.
You need to identify which domain controllers are authorized to be cloned by using virtual
domain controller cloning.
D. Get-ADDomain
Answer: A
Explanation:

If you want to be able to clone a Domain Controller then authorize the original source
Domain Controller to be used as the source for cloning by adding it's computer object into
the new "Cloneable Domain Controllers" Active Directory group.
The Get-ADGroupMember cmdlet gets the members of an Active Directory group.
Members can be users, groups, and computers.
We use the Get-ADGroupMember cmdlet to retrieve the members of the "Cloneable
Domain Controllers" Active Directory group.
Reference: Safely Cloning an Active Directory Domain Controller with Windows Server
2012 - Step-by-Ste
http://blogs.technet.com/b/keithmayer/archive/2012/08/06/safely-cloning-an-active-
directory-domain-controller-with-windows-server-2012-step-by-step-ws2012-hyperv-itpro-
vmware.aspx
Your network contains an Active Directory forest named adatum.com. All servers run
Windows Server 2012 R2. The domain contains four servers. The servers are configured
as shown in the following table.
You need to deploy IP Address Management (IPAM) to manage DNS and DHCP.
On which server should you install IPAM?
A. Server1

B. Server2
C. Server3
D. Server4
Answer: D
Explanation:
An IPAM server is intended as a single-purpose server. It is not recommended to collocate
other network infrastructure roles such as DNS or DHCP on the same server. IPAM
installation is not supported on a domain controller, and discovery of DHCP servers will be
disabled if you install IPAM on a server that is also running the DHCP Server service. The
following features and tools are automatically installed when you install IPAM Server.
Reference: IPAM Deployment Planning
contains the two servers.
The servers are configured as shown in the following table.
You investigate a report about the potential compromise of a private key for a certificate
issued to Server2.
You need to revoke the certificate issued to Server2. The solution must ensure that the
revocation can be reverted.
Which reason code should you select?
To answer, select the appropriate reason code in the answer area.

Answer:
Explanation:

If you specify "Certificate Hold" as the reason for revoking the certificate, it typically means
that you may want to unrevoke the certificate at a future time. Only certificates that have
been revoked with the reason of "Certificate Hold" can be unrevoked.
You have a file server named Server1 that runs Windows Server 2012 R2. The folders on
Server1 are configured as shown in the following table.
A new corporate policy states that backups must use Windows Azure Online Backup
whenever possible.

You need to identify which technology you must use to back up Server1. The solution must
use Windows Azure Online Backup whenever possible.
What should you identify?
To answer, drag the appropriate backup type to the correct location or locations. Each
backup type may be used once, more than once, or not at all. You may need to drag the
Answer:
Explanation:
* NTFS encrypted
Azure Backup supported

* NTFS compressed
Azure Backup supported
* At this time you cannot backup entire Azure Virtual Machines or perform a system state
backup of Azure Virtual Machines using Azure Backup.
Note: * NTFS encrypted + NTFS compressed

Azure Backup not supported
contains two sites named Site1 and Site2 and two domain controllers named DC1 and
DC2. DC1 is located in Site1 and DC2 is located in Site2.
You install an additional domain controller named DC3 in Site1 and you ship DC3 to Site2.
A technician connects DC3 to Site2.
You discover that users in Site2 are authenticated only by DC2.
You need to ensure that the users in Site2 are authenticated by both DC2 and DC3.
What should you do?
A. In Active Directory Users and Computers, configure the msDS-PrimaryComputer

attribute for DC3.
B. In Active Directory Users and Computers, configure the msDS-Site-Affinity attribute for
DC3.
C. From Active Directory Sites and Services, move DC3.
D. From Active Directory Sites and Services, modify the site link between Site1 and Site2.
Answer: C
Explanation:
DC3 needs to be moved to Site2 in AD DS
Reference: Move a domain controller between sites

You create a user account named User1 in the domain.
You need to ensure that User1 can use Windows Server Backup to back up Server1. The
solution must minimize the number of administrative rights assigned to User1.
What should you do?
A. Add User1 to the Backup Operators group.

B. Add User1 to the Power Users group.
C. Assign User1 the Backup files and directories user right and the Restore files and
directories user right.
D. Assign User1 the Backup files and directories user right.
Answer: D
Explanation:
Backup Operators have these permissions by default:
However the question explicitly says we need to minimize administrative rights. Since the
requirement is for backing up the data only--no requirement to restore or shutdown--then
assigning the "Back up files and directories user right" would be the correct answer.

Reference: Default local groups
2012 R2.
configured as nodes in a failover cluster named Guster1. Cluster1 contains a file server
role named FS1 and a generic service role named SVC1. Server1 is the preferred node for
FS1. Server 2 is the preferred node for SVC1.
You plan to run a disk maintenance tool on the physical disk used by FS1.
You need to ensure that running the disk maintenance tool does not cause a failover to
occur.

What should you do before you run the tool?
A. Run Suspend-ClusterResource.
B. Run Suspend-GusterNode.
C. Run cluster.exe and specify the pause parameter.
D. Run cluster.exe and specify the offline parameter.
Answer: D
Your network contains four servers that run Windows Server 2012 R2.
Each server has the Failover Clustering feature installed. Each server has three network
adapters installed. An iSCSI SAN is available on the network.
You create a failover cluster named Cluster1. You add the servers to the cluster.
You plan to configure the network settings of each server node as shown in the following
table.
You need to configure the network settings for Cluster1.
What should you do?
To answer, drag the appropriate network communication setting to the correct cluster
network. Each network communication setting may be used once, more than once, or not
at all. You may need to drag the split bar between panes or scroll to view content.

Answer:
Explanation:
Allow cluster network communication for heartbeats.
Note: Heartbeats
The Cluster service, running on each node of the cluster, keeps track of the current state of
the nodes within a cluster and determines when a group and its resources fail over to an
alternate node. This communication takes the form of messages that are sent regularly
between each node's Cluster service. These messages are called heartbeats.
You have a failover cluster named Cluster1 that contains four nodes. All of the nodes run
You need to force every node in Cluster1 to contact immediately the Windows Server
Update Services (WSUS) server on your network for updates.

A. The Add-CauClusterRole cmdlet

B. The Wuauclt command
C. The Wusa command
D. The Invoke-CauScan cmdlet
Answer: A
Explanation:
The Add-CauClusterRole cmdlet adds the Cluster-Aware Updating (CAU) clustered role
that provides the self-updating functionality to the specified cluster. When the CAU
clustered role has been added to a cluster, the failover cluster can update itself on the
schedule that is specified by the user, without requiring an external computer to coordinate
the cluster updating process.
Incorrect:
Not B. The wuauclt utility allows you some control over the functioning of the Windows
Update Agent. It is updated as part of Windows Update.
The following are the command line for wuauclt.
OptionDescription
/a /ResetAuthorization
Initiates an asynchronous background search for applicable updates. If Automatic Updates
is disabled, this option has no effect.
/r /ReportNow
Sends all queued reporting events to the server asynchronously.
/? /h /help
Shows this help information.
Not D.
The Invoke-CauScan cmdlet performs a scan of cluster nodes for applicable updates and
returns a list of the initial set of updates that would be applied to each node in a specified
cluster.
Note: The Invoke-CauRun cmdlet performs a scan of cluster nodes for applicable updates
and installs those updates via an Updating Run on the specified cluster.
Reference: Add-CauClusterRole

You have two Hyper-V hosts named Host1 and Host2 that run Windows Server 2012 R2.
Host1 hosts a virtual machine named VM1 that is replicated to Host2. VM1 hosts an
internal web application.
You need to test the failover of VM1 to Host2. The solution must ensure that clients
continue to connect to VM1 on Host1.
A. Start-VMFailover
B. Export-VM
C. Move-VM
D. Test-VMReplicationConnection
E. Compare-VM
Answer: A
Explanation:
Start-VMFailover -AsTest
Creates a test virtual machine using the chosen recovery point. You can use a test virtual
machine to validate a Replica virtual machine. To stop a test failover, use the Stop-
VMFailover cmdlet.
The Start-VMFailover cmdlet can be used for the following tasks:

✑ Fail over a Replica virtual machine to a chosen recovery point.
✑ Start a planned failover on a primary virtual machine.
✑ Create a test virtual machine on a Replica virtual machine.
Reference: Start-VMFailover
https://technet.microsoft.com/en-us/library/jj136051(v=wps.630).aspx

2012 R2. Server1 and Server2 have the Hyper-V server role installed.
Server1 and Server2 have different processor models from the same manufacturer.
On Server1, you plan to create a virtual machine named VM1. Eventually, VM1 will be
exported to Server2.
You need to ensure that when you import VM1 to Server2, you can start VM1 from saved
snapshots.
What should you configure on VM1?
Answer:

Explanation:

Use the Processor Compatibility Mode only in cases where VMs will migrate from one
Hyper-V-enabled processor type to another within the same vendor processor family.
Your network contains 25 Web servers that run Windows Server 2012 R2.
You need to configure auditing policies that meet the following requirements:
✑ Generate an event each time a new process is created.

✑ Generate an event each time a user attempts to access a file share.
Which two auditing policies should you configure?
To answer, select the appropriate two auditing policies in the answer area.

Answer Area
Answer:
Explanation:

* Audit object access

Determines whether to audit the event of a user accessing an object (for example, file,
folder, registry key, printer, and so forth) which has its own system access control list
(SACL) specified.
* Audit process tracking
This security setting determines whether to audit detailed tracking information for events
such as program activation, process exit, handle duplication, and indirect object access.
Each day, Server1 is backed up fully to an external disk.
On Server1, the disk that contains the operating system fails.
You replace the failed disk.
You need to perform a bare-metal recovery of Server1 by using the Windows Recovery
Environment (Windows RE).

A. The Wbadmin.exe command
B. The Repair-bde.exe command
C. The Get-WBBareMetalRecovery cmdlet
D. The Start-WBVolumeRecovery cmdlet
Answer: A
Explanation:
Wbadmin enables you to back up and restore your operating system, volumes, files,
folders, and applications from a command prompt.
Wbadmin start sysrecovery

runs a recovery of the full system (at least all the volumes that contain the operating
system's state). This subcommand is only available if you are using the Windows Recovery
Environment.
* Wbadmin start sysrecovery -backupTarget

Specifies the storage location that contains the backup or backups that you want to
recover. This parameter is useful when the storage location is different from where backups
of this computer
Incorrect:
Not B. Accesses encrypted data on a severely damaged hard disk if the drive was
encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and
salvage recoverable data as long as a valid recovery password or recovery key is used to
decrypt the data.
Not C. Gets the value that indicates whether the ability to perform bare metal recoveries
from backups has been added to the backup policy (WBPolicy object).
Not D. Starts a volume recovery operation.
Reference: Wbadmin start sysrecovery

DHCP Server server role installed.
You discover that client computers cannot obtain IPv4 addresses from DC1.
You need to ensure that the client computers can obtain IPv4 addresses from DC1.
What should you do?
A. Activate the scope.

B. Authorize DC1.
C. Disable the Allow filters.
D. Disable the Deny filters.
Answer: C
Explanation:
You have enabled the Allow list but haven't entered any MAC addresses, thus everyone is
denied. Either Disable the Allow filters or start adding MAC addresses to the Allow filter.
Note: MAC address based filtering allows specific control over which clients have access to
DHCP addresses. You can create a list of computers that are allowed to obtain DHCP
addresses from the server by adding the client MAC address to the list of allowed client
computers. By enabling the allow list, you automatically deny access to the DHCP server
addresses to any client computer not on the list.

Reference: DHCP: If the allow list is enabled, MAC address filtering should be populated
https://technet.microsoft.com/en-us/library/ee956897(v=ws.10)
Active Directory Federation Services server role installed.
You need to make configuration changes to the Windows Token-based Agent role service.
To answer, select the appropriate tool in the answer area.

Answer:

Explanation:

To configure the Windows token-based agent

✑ Click Start, point to Administrative Tools, and then click Internet Information
Services (IIS) Manager.
Etc.

contains a member server named Server1. Server1 has the IP Address Management
(IPAM) Server feature installed.
A technician performs maintenance on Server1.
After the maintenance is complete, you discover that you cannot connect to the IPAM
server on Server1.
You open the Services console as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that you can connect to the IPAM server.
Which service should you start?
A. Windows Process Activation Service

B. Windows Event Collector
C. Windows Internal Database
D. Windows Store Service (WSService)
Answer: C
Explanation:
Explanation
Windows Internal Database

Windows Internal Database is a relational data store that can be used only by Windows
roles and features.
IPAM does not support external databases. Only a Windows Internal Database is
supported.
IPAM stores 3 years of forensics data (IP address leases, host MAC addresses, user
login/logoff information) for 100,000 users in a Windows Internal Database. There is no
database purge policy provided, and the administrator must purge data manually as
needed.
Incorrect:
Not A. IPAM works even if the Windows Process Activation Service is not running.
Not B. IPAM does not require the Windows Event Collector Service. It need to be running
on the managed DC/DNS/DHCP computers.
Not D. IPAM does not require the Windows Store Service. It provides infrastructure support
for Windows Store.This service is started on demand and if disabled applications bought
using Windows Store will not behave correctly.
Reference: IPAM Deployment Planning
Active Directory Rights Management Services server role installed.
Your company works with a partner organization that does not have its own Active
Directory Rights Management Services (AD RMS) implementation.
You need to create a trust policy for the partner organization.
✑ Grant users in the partner organization access to protected content.

✑ Provide users in the partner organization with the ability to create protected
content.
Which type of trust policy should you create?

A. A federated trust
B. Windows Live ID
C. A trusted publishing domain
D. A trusted user domain
Answer: A
Explanation:
In AD RMS rights can be assigned to users who have a federated trust with Active
Directory Federation Services (AD FS). This enables an organization to share access to
rights-protected content with another organization without having to establish a separate
Active Directory trust or Active Directory Rights Management Services (AD RMS)
infrastructure.
Incorrect:
Not C. Trusted publishing domains allow one AD RMS server to issue use licenses that
correspond with a publishing license issued by another AD RMS server, but in this scenario
the partner organization does not have any Active Directory.
Not D. A trusted user domain, often referred as a TUD, is a trust between AD RMS
clusters, but in this scenario the partner organization does not have any Active Directory.
Reference: AD RMS and AD FS Considerations
http://technet.microsoft.com/en-us/library/dd772651(v=WS.10).aspx
2012 R2.
configured as nodes in a failover cluster named Cluster1. Cluster1 has access to four
physical disks. The disks are configured as shown in the following table.

You need to ensure that all of the disks can be added to a Cluster Shared Volume (CSV).
Choose two.)
A. Format Disk2 to use NTFS.

B. Format Disk3 to use NTFS.
C. Enable BitLocker on Disk4.
D. Disable BitLocker on Disk1.
Answer: A,D
Explanation:
A. In Windows Server 2012 R2, a disk or storage space for a CSV volume must be a basic
disk that is partitioned with NTFS or ReFS, but you cannot use a disk for a CSV that is
formatted with FAT or FAT32.
D. CSV supports bitlocker, but you would have to enable it on all nodes in the cluster.
Therefore we need to disable bitlocker on Disk1.
Incorrect:
Not B. ReFS would work fine. In Windows Server 2012 R2, a disk or storage space for a
CSV volume must be a basic disk that is partitioned with NTFS or ReFS.
Not C. Bitlocker must be enabled on all disks for it to work for a CSV.
Reference: Use Cluster Shared Volumes in a Failover Cluster
Reference: How to Configure BitLocker Encrypted Clustered Disks in Windows Server

2012

Your network contains an Active Directory forest named adatum.com. The forest contains
an Active Directory Rights Management Services (AD RMS) cluster.
A partner company has an Active Directory forest named litwareinc.com. The partner
company does not have AD RMS deployed.
You need to ensure that users in litwareinc.com can consume rights-protected content from
adatum.com.
Which type of trust policy should you create?
A. At federated trust
B. A trusted user domain
C. A trusted publishing domain
D. Windows Live ID
Answer: A
Explanation:
In AD RMS rights can be assigned to users who have a federated trust with Active
Directory Federation Services (AD FS). This enables an organization to share access to
rights-protected content with another organization without having to establish a separate
Active Directory trust or Active Directory Rights Management Services (AD RMS)
infrastructure.
Reference: AD RMS and AD FS Considerations
contains a file server named Server1. Server1 is a BranchCache hosted cache server that

is located in a branch office.
The network contains client computers that run either Windows 7 or Windows 8.
For the branch office, all of the user accounts and the client computer accounts are located
in an organizational unit (OU) named Branch1. A Group Policy object (GPO) named GPO1
is linked to Branch 1. GPO1 contains the BranchCache settings.
You discover that users in the branch office who have client computers that run Windows 7
do not access cached content from Server1. Users in the branch office who have Windows
8 computers access cached content from Server1.
You need to configure the Windows 7 computers to use BranchCache on Server1. Which
setting should you configure in GPO1?
To answer, select the appropriate setting in the answer area.
Answer:

Explanation:
Hosted Cache mode

In hosted cache mode, cached content is maintained on a computer running Windows
Server 2008 R2 on the branch office network.
You need to configure Server1 to meet the following requirements:
✑ Ensure that old files in folder named Folder1 are archived automatically to a folder
named Archive1.
✑ Ensure that JPG files can always be saved to a local computer, even when a file
screen exists.
Which two nodes should you configure?

Answer Area
Answer:
Explanation:

Node 1: File expiration tasks are used to automatically move all files that match certain
criteria to a specified expiration directory, where an administrator can then back those files
up and delete them.
To create a file expiration task
✑ Click the File Management Tasks node.
✑ Right-click File Management Tasks, and then click Create File Management Task
(or click Create File Management Task in the Actions pane). This opens the
Create File Management Task dialog box.
✑ In the Exception path text box, type or select the path that the exception will apply
to. The exception will apply to the selected folder and all of its subfolders.
Etc
Node 2:
Occasionally, you need to allow exceptions to file screening. For example, you might want
to block video files from a file server, but you need to allow your training group to save the
video files for their computer-based training. To allow files that other file screens are
blocking, create a file screen exception.
You assign file groups to determine which file types will be allowed in the file screen
exception.
To create a file screen exception
✑ InFile Screening Management, click the File Screens node.
✑ Right-click File Screens, and click Create File Screen Exception (or select Create
File Screen Exception from the Actions pane). This opens the Create File Screen
Exception dialog box.
Etc.
Note: On the File Screening Management node of the File Server Resource Manager MMC
snap-in, you can perform the following tasks:
* Create file screens to control the types of files that users can save, and generate
notifications when users attempt to save unauthorized files.
* Define file screening templates that can be applied to new volumes or folders and that

can be used across an organization.
* Create file screening exceptions that extend the flexibility of the file screening rules.
The adatum.com domain contains a Group Policy object (GPO) named GPO1. An
administrator from adatum.com backs up GPO1 to a USB flash drive.
You have a domain controller named dc1.contoso.com. You insert the USB flash drive in
dc1.contoso.com.
You need to identify the domain-specific reference in GPO1.
What should you do?
A. From the Migration Table Editor, click Populate from Backup.

B. From Group Policy Management, run the Group Policy Modeling Wizard.
C. From Group Policy Management, run the Group Policy results Wizard.
D. From the Migration Table Editor, click Populate from GPO.
Answer: A
Explanation:
You can auto-populate a migration table by scanning one or more GPOs or backups to
extract all references to security principals and UNC paths, and then enter these items into
the table as source name entries. This capability is provided by the Populate from GPO
and Populate from Backup options.
Reference: The migration table editor

contains two servers named Server1 and Server3. The network contains a standalone
server named Server2.
All servers run Windows Server 2012 R2. The servers are configured as shown in the
following table.
Server3 hosts an application named App1. App1 is accessible internally by using the URL
https://app1.contoso.com. App1 only supports Integrated Windows authentication.
You need to ensure that all users from the Internet are pre-authenticated before they can
access App1.
What should you do?
To answer, drag the appropriate servers to the correct actions. Each server may be used
Answer:

Explanation:
Box 1: Server1
For all types of application that you can publish using AD FS preauthentication, you must
add a AD FS relying party trust to the Federation Service.
Use Server1 as it has AD FS.
Box 2: Server2
When publishing applications that use Integrated Windows authentication, the Web
Application Proxy server uses Kerberos constrained delegation to authenticate users to the
published application.
Box 3: Server2
To publish a claims-based application
1. On the Web Application Proxy server, in the Remote Access Management console, in
the Navigation pane, click Web Application Proxy, and then in the Tasks pane, click
Publish.
2. On the Publish New Application Wizard, on the Welcome page, click Next.
Etc.
Box 4: Server2

Configure CAs and certificates (see c below)
Web Application Proxy servers require the following certificates in the certificate store on
each Web Application Proxy server:
a) A certificate whose subject covers the federation service name. If you want to use
Workplace Join, the certificate must also contain the following subject alternative names
(SANs): <federation service name>.<domain> and enterpriseregistration.<domain>.
b) A wildcard certificate, a subject alternative name (SAN) certificate, several SAN
certificates, or several certificates whose subjects cover each web application.
c) A copy of the certificate issued to external servers when using client certificate
preauthentication.
You have a subscription to Windows Azure.
You need to register the Microsoft Azure Backup Agent on Server1.
A. Install the Microsoft System Center 2012 Data Protection Manager (DPM) agent.
B. Create a backup vault.
C. Create Site Recovery vault.
D. Configure a passphrase for the Azure Backup Agent.
Answer: B
Explanation:
To back up files and data from your Windows Server to Azure, you must create a backup
vault in the geographic region where you want to store the data. The main steps include:
* the creation of the vault you will use to store backups
* downloading a vault credential
* the installation of a backup agent
Reference: Configure Azure Backup to quickly and easily back up Windows Server

https://azure.microsoft.com/sv-se/documentation/articles/backup-configure-vault/
2012.
Server1 and Server2 have the Hyper-V server role and the Failover Clustering feature
installed.
Server1 and Server2 are members of a cluster named Cluster1. Cluster1 hosts 10 virtual
machines.
When you try to migrate a running virtual machine from one server to another, you receive
the following error message: "There was an error checking for virtual machine compatibility
on the target node."
You need to ensure that the virtual machines can be migrated from one node to another.
From which node should you perform the configuration?

Answer:

Explanation:

The Migrate to a physical computer with a different processor version setting ensures that
the virtual machine uses only the features of the processor that are available on all
versions of a virtualization- capable processor by the same processor manufacturer. It does
not provide compatibility between different processor manufacturers.

Note: To enable processor compatibility mode for a virtual machine

✑ Click Start, point to Administrative Tools, and then click Hyper-V Manager.
✑ Select the server running Hyper-V and the desired virtual machine.
✑ If the virtual machine is running, you must shut down the virtual machine to change
the processor compatibility mode setting.
✑ In the Action pane, click Settings, and then click Processor.
✑ Expand Processor, and click Compatibility.
✑ Click Migrate to a physical computer with a different processor, and then click OK.
contains an IP Address Management (IPAM) server named Server1. Server1 manages
several DHCP and DNS servers.
From Server Manager on Server1, you create a custom role for IPAM.
You need to assign the role to a group named IP_Admins.
What should you do?
A. From Windows PowerShell, run the Add-Member cmdlet.

B. From Server Manager, create an access policy.
C. From Windows PowerShell, run the Set-IpamConfiguration cmdlet.
D. From Server Manager, create an access scope.
Answer: B
Explanation:
A role is a collection of IPAM operations. You can associate a role with a user or group in
Windows using an access policy. Several built-in roles are provided, but you can also
create customized roles to meet your business requirements.
Reference: Manage IPAM, Access Control

You have an Active Directory Rights Management Services (AD RMS) cluster.
You need to prevent users from encrypting new content. The solution must ensure that the
users can continue to decrypt content that was encrypted already.
Choose two.)
A. From the Active Directory Rights Management Services console, enable

decommissioning.
B. From the Active Directory Rights Management Services console, create a user
exclusion policy.
C. Modify the NTFS permissions of %systemdrive%\inetpub\wwwroot\_wmcs\licensing.
D. Modify the NTFS permissions of
%systemdrive%\inetpub\wwwroot\_wmcs\decommission.
E. From the Active Directory Rights Management Services console, modify the rights policy
templates.
Answer: A,D
Explanation:
* Decommissioning refers to the entire process of removing the AD RMS cluster and its
associated databases from an organization. This process allows you to save rights-
protected files as ordinary files before you remove AD RMS from your infrastructure so that
you do not lose access to these files.
Decommissioning an AD RMS cluster is achieved by doing the following:
/ Enable the decommissioning service. (A)
/ Modify permissions on the decommissioning pipeline.
/ Configure the AD RMS-enabled application to use the decommissioning pipeline.
* To modify the permissions on the decommissioning pipeline
1. Log on to ADRMS-SRV as cpandl\administrator.

2. Click Start, type %systemdrive%\inetpub\wwwroot\_wmcs in the Start Search box, and
then press ENTER.
3. Right-click the decommission folder, and then click Properties.
4. Click the Security tab, click Edit, and then click Add. (D)

Etc.
Reference: Step 1: Decommission AD RMS Root Cluster
You have an enterprise certification authority (CA) named CA1.
You configure a recovery agent for CA1.
On CA1, you create a new certificate template named CertTemplate1, and then you
configure CA1 to allow certificates to be requested based on CertTemplate1.
You need to ensure that new certificates issued based on CertTemplate1 can be
recovered.
What should you do?
A. From the Certificate Templates console, modify the Issuance Requirements settings of
CertTemplate1.
B. From the Certification Authority console, modify the enrollment agents of CA1.
C. From the Certificate Templates console, modify the Request Handling settings of
CertTemplate1.
D. From the Certification Authority console, modify the certificate managers of CA1.
Answer: C
Explanation:
The key archival process takes place when a certificate is issued. Therefore, a certificate
template must be modified to archive keys before any certificates are issued based on this
template.
See step 7 below.
To configure a certificate template for key archival and recovery

✑ Open the Certificate Templates snap-in.
✑ In the details pane, right-click the certificate template that you want to change, and
then click Duplicate Template.
✑ In the Duplicate Template dialog box, click Windows Server 2003

Enterprise unless all of your certification authorities (CAs) and client computers are
running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows
Vista.
✑ In Template, type a new template display name, and then modify any other
optional properties as needed.
✑ On the Security tab, click Add, type the name of the users or groups you want to
issue the certificates to, and then click OK.
✑ Under Group or user names, select the user or group names that you just added.
Under Permissions, select the Read and Enroll check boxes, and if you want to
automatically issue the certificate, also select the Autoenroll check box.
✑ On the Request Handling tab, select the Archive subject's encryption private
key check box.
✑ If users already have EFS certificates that are not configured for key archival and
recovery, click the Superseded Templates tab, clickAdd, and then click the name
of the template that you want to replace.
✑ Click OK.
Reference: Configure a Certificate Template for Key Archival
2012 R2.
Server1 and Server2 have the Hyper-V server role installed. The servers are configured as
You add a third server named Server3 to the network. Server3 has Intel processors.

You need to move VM3 and VM6 to Server3. The solution must minimize downtime on the
virtual machines.
Which method should you use to move each virtual machine?
To answer, select the appropriate method for each virtual machine in the answer area.
Answer:

Explanation:
VM3: export/import is the only option due to different processor manufacturers

VM6: Live migration can be used as both have Intel CPU's
Live Storage Migration requires same processor manufacturers
Live migration requires same processor manufacturers
Incorrect:
Quick migration has downtime
File Server Resource Manager role service installed.
You are creating a file management task as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that the Include all folders that store the following kinds of data list
displays an entry named Corporate Data.
What should you do?
A. Create a new file group.

B. Create a new classification property.
C. Modify the properties of the System Files file group.
D. Modify the Folder Usage classification property.
Answer: B
Explanation:

Classification properties are used to assign values to files.
Reference: Working with File Classification
You create a trust between contoso.com and a domain in another forest at a partner
company.
You need to prevent the sales.contoso.com and the manufacturing.contoso.com names

from being used in authentication requests across the forest trust.
A. Set-ADSite
C. Set-ADDomain
E. Set-ADGroup
F. Set-ADForest
G. Netdom
Answer: G
Explanation:
The Netdom trust command establishes, verifies, or resets a trust relationship between

domains.
Parameters include /RemoveTLNEX:
Removes the specified top level name exclusion (DNS Name Suffix) from the forest trust
info from the specified trust. Valid only for a forest transitive non-Windows realm trust and
can only be performed on the root domain for a forest.
Reference: Netdom trust
Your network contains one Active Directory forest named adatum.com. The forest contains
a single domain.
The site topology for the forest is shown in the exhibit. (Click the Exhibit button.)
*Exhibit is Missing*
Each site contains one domain controller. Site link bridging is disabled.
You need to ensure that changes made to Site1 replicate to Site5 within one replication
cycle.
What should you create?
A. a site link
B. a site
C. a site link bridge
D. a subnet
Answer: A
Explanation:
By creating a direct site-link between Site1 and Site5 changes made in Site1 can be
replicated in one cycle to Site5.
Reference: Active Directory Replication

https://technet.microsoft.com/en-us/library/dd277429.aspx
contains three servers. The servers are configured as shown in the following table.
Server1 is configured as shown in the exhibit. (Click the Exhibit button.)
Template1 contains custom cryptography settings that are required by the corporate
security team.
On Server2, an administrator successfully installs a certificate based on Template1.
The administrator reports that Template1 is not listed in the Certificate Enrollment wizard
on Server3, even after selecting the Show all templates check box.
You need to ensure that you can install a server authentication certificate on Server3. The
certificate must comply with the cryptography requirements.

To answer, move the appropriate three actions from the list of actions to the answer area
Answer:
Explanation:
Box 1:

Box 2:
Box 3:
Note:
Duplicate an existing template, modify the Compatibility Settings (to Windows Server
2008), and modify the Request Handling settings.
2012 R2.
Server1 and Server2 are nodes in a Hyper-V cluster named Cluster1. Cluster1 hosts 10
virtual machines. All of the virtual machines run Windows Server 2012 R2 and are
members of the domain.
You need to ensure that the first time a service named Service1 fails on a virtual machine,
the virtual machine is moved to a different node.
You configure Service1 to be monitored from Failover Cluster Manager.
What should you configure on the virtual machine?

A. From the Recovery settings of Service1, set the First failure recovery action to Take No
Action.
B. From the General settings, modify the Startup type.
C. From the Recovery settings of Service1, set the First failure recovery action to Restart
the Service.
D. From the General settings, modify the Service status.
Answer: A
Explanation:
When a monitored service fails the Recovery features of the service will take action.
Example:
Service Recovery

In this case for the first failure the service will be restarted by the Service Control Manager
inside the guest operating system, if the service fails for a second time the service will
again be restarted via guest operating system. In case of a third failure the Service Control
Manager will take no action and the Cluster service running on the Hyper-V host will take
over recovery actions.
Reference: How to configure VM Monitoring in Windows Server 2012
and SiteB.
What should you do?

B. Crate additional connection objects for DC1 and DC2.
C. Decrease the cost of the site link between SiteB and SiteC.
Answer: C

Explanation:
contains two servers named Server1 and Server2. Both servers have the IP Address
Management (IPAM) Server feature installed.
You have a support technician named Tech1. Tech1 is a member of the IPAM
Administrators group on Server1 and Server2.
You need to ensure that Tech1 can use Server Manager on Server1 to manage IPAM on
Server2.
To which group on Server2 should you add Tech1?
A. IPAM MSM Administrators

B. IPAM Administrators
C. winRMRemoteWMIUsers_
D. Remote Management Users
Answer: C
Explanation:
If you are accessing the IPAM server remotely using Server Manager IPAM client RSAT,
then you must be a member of the WinRMRemoteWMIUsers group on the IPAM server, in
addition to being a member of the appropriate IPAM security group (or local Administrators
group).
Reference: IPAM Deployment Planning, IPAM specifications

Server1 has access to disks that connect to a RAID controller, iSCSI disks, and disks
connected to a SCSI controller.
You plan to use a tiered storage space on Server1.
You need to identify which storage controller and volume type you must use for the tiered
storage space.
Which storage components should you use?

Answer:
Explanation:
Box 1, Storage controller: SCSI

Storage Spaces requirements include:
* Serial ATA (SATA) or Serial Attached SCSI (SAS) connected disks, optionally in a just-a-
bunch-of-disks (JBOD) enclosure
Note: RAID adapters, if used, must have all RAID functionality disabled
Box 2, Storage volume type:

* Storage pools. A collection of physical disks that enable you to aggregate disks, expand
capacity in a flexible manner, and delegate administration.

* Storage spaces. Virtual disks created from free space in a storage pool. Storage spaces
have such attributes as resiliency level, storage tiers, fixed provisioning, and precise
administrative control.
Illustration:
http://www.miru.ch/wp-content/uploads/2013/07/071813_2125_Creatingati1.png
Your network contains an Active Directory forest. The forest contains one domain named
contoso.com. The domain contains three domain controllers. The domain controllers are

DC1 has all of the operations master roles installed.
You transfer all of the operations master roles to DC2, and then you uninstall Active
Directory from DC1.
You need to ensure that you can use Password Settings objects (PSOs) in the domain.
What should you do?
A. Change the domain functional level.

B. Upgrade DC2.
C. Run the dcgpofix.exe command.
D. Transfer the schema master role.
Answer: A
Explanation:
The domain functional level must be Windows Server 2008 to use PSO's
Requirements and special considerations for fine-grained password and account lockout
policies:
* Domain functional level: The domain functional level must be set to Windows Server 2008
or higher.
Etc.
Incorrect:
Not B. DC2 is also Windows Server 2008.
Not C. Recreates the default Group Policy Objects (GPOs) for a domain
Not D. Schema isn't up to right level
Reference: AD DS: Fine-Grained Password Policies

You install the File and Storage Services server role on Server1.
From Windows Explorer, you view the properties of a folder named Folder1 and you
discover that the Classification tab is missing.
You need to ensure that you can assign classifications to Folder1 from Windows Explorer
manually.
What should you do?
A. From Folder Options, clear Hide protected operating system files (Recommended).
B. Install the File Server Resource Manager role service.
C. From Folder Options, select the Always show menus.
D. Install the Share and Storage Management Tools.
Answer: B
Explanation:
On the Classification tab of the file properties in Windows Server 2012, File Classification
Infra-structure adds the ability to manually classify files. You can also classify folders so
that any file added to the classified folder will inherit the classifications of the parent folder.
Reference: What's New in File Server Resource Manager in Windows Server.
Your network contains one Active Directory forest named contoso.com and one Active
Directory forest named adatum.com. Each forest contains a single domain.
You have the domain controllers configured as shown in the following table.

You perform the following three actions:
✑ Create a user named User1 on DC3.

✑ Create a file named File1.txt in the SYSVOL folder on DC1.
✑ Create a Group Policy object (GPO) named GPO1 on DC1 and link GPO1 to
Site2.
You need to identify on which domain controller or controllers each object is stored.
What should you identify? To answer, select the appropriate options in the answer area.
Answer:
Explanation:
* SYSVOL is simply a folder which resides on each and every domain controller within the

domain. It contains the domains public files that need to be accessed by clients and kept
synchronised between domain controllers.
Here File1.text will be stored on both domain controllers in contoso.com (DC1 and DC2).
* User1 will be stored on both domain controllers in adatum.com (DC3 and DC4), and on
the global catalog server in contoso.com (DC1).
* The global catalog is the set of all objects in an Active Directory Domain Services (AD
DS) forest. A global catalog server is a domain controller that stores a full copy of all
objects in the directory for its host domain and a partial, read-only copy of all objects for all
other domains in the forest. Global catalog servers respond to global catalog queries.
GPO1 will be stored on the global catalog servers in the forest (Dc1 and DC3).
cluster contains an application named App1 that is accessed by using the name
appl.contoso.com.
The NLB cluster has the port rules configured as shown in the exhibit. (Click the Exhibit
button.)

To answer, complete each statement according to the information presented in the exhibit.
Answer:

Explanation:
* Port 80 is in Single mode.

* An HTTP session is a sequence of network request-response transactions. An HTTP
client initiates a request by establishing a Transmission Control Protocol (TCP) connection
to a particular port on a server (typically port 80, occasionally port 8080.
Your network contains an Active Directory forest. The forest contains a single domain
named contoso.com.
The forest contains two Active Directory sites named Main and Branch1. The sites connect
to each other by using a site link named Main-Branch1. There are no other site links.
Each site contains several domain controllers. All domain controllers run Windows Server

2012 R2. Your company plans to open a new branch site named Branch2. The new site will
have a WAN link that connects to the Main site only. The site will contain two domain
controllers that run Windows Server 2012 R2.
You need to create a new site and a new site link for Branch2. The solution must ensure
that the domain controllers in Branch2 only replicate to the domain controllers in Branch1 if
all of the domain controllers in Main are unavailable.
Which three actions should you perform?
To answer, move the three appropriate actions from the list of actions to the answer area
Answer:
Explanation:

SO...the first part of this answer is:

1. Create a new site object named Branch2
*When you create the new site Branch2 you will be prompted to associate it with a site
link...right now we only have one site link (Main-Branch1). Hit Finish
2. Remove Branch2 site from the Main-Branch1 Site Link
*In order to move a site into a new site link, you must first remove them from their previous
site link....In this case Branch2 was put in Main-Branch1 when we create the new site
because we didn't have another site link to associate the new site with at the time we
created it.
3. Create a new site link object named Main-Branch2
*When you create the site link object you will be asked to place the appropriate sites in this
link...choose Main and Branch 2
Because we are using Interstice topology replication, ISTG (similar to KCC with Intrasite)
will build a logical transitive connection path between all site links because site link bridge
is enabled by default and is a Microsoft best practice to leave this default.
By default a site link has a default cost of 100 so the Main-Branch1 site cost 100. Since we
do not have a site link established from Branch2 - Branch1, ISTG will create a logical patch
that travels along the Main-Branch2 site link (cost 100) and through Main-Branch1 site
link(cost 100) to establish replication connection in the event the least cost path goes
down. Since the logical path =200, Branch2 will only replicate with Branch1 if the site link to
the Main Site goes down.

You suspect that some protected system files are corrupt.
You need to verify the protected system files on Server1 and replace files that have
incorrect versions.
A. Sfc
B. Repair-volume
C. Repair-FileIntegrity
D. Fsutil
Answer: A
Explanation:
Sfc scans and verifies the integrity of all protected system files and replaces incorrect
versions with correct versions.
Examples:
To verify the kernel32.dll file, type:
sfc /verifyfile=c:\windows\system32\kernel32.dll
To setup offline repair of the kernel32.dll file with an offline boot directory set to d: and
offline windows directory set to d:\windows, type:
sfc /scanfile=d:\windows\system32\kernel32.dll /offbootdir=d:\ /offwindir=d:\windows
Reference: Technet, sfc
https://technet.microsoft.com/en-us/library/ff950779.aspx

access the website.
What should you do?
A. Run ipconfig and specify the FlushDns parameter.

B. Run ipconfig and specify the Renew parameter.
C. Run dnscmd and specify the ClearCache parameter.
D. Run Set-DnsServerResourceRecordAging.
Answer: C
Explanation: We cane clear the DNS cache on the DNS server with either Dnscmd
/ClearCache (from command prompt) or Clear-DnsServerCache (from Windows
PowerShell).
Reference: Technet, Dnscmd
You start Server1 by using Windows RE.
You need to repair the Boot Configuration Data (BCD) store on Server1.
A. Bootim
B. Bootsect

C. Bootrec
D. Bootcfg
Answer: C
Explanation:
How To Rebuild the BCD in Windows

1. Start Advanced Startup Options if you're using Windows 8.
2. Open Command Prompt from Advanced Startup Options or System Recovery Options
menu.
3. At the prompt, type the bootrec command as shown below and then press Enter:
bootrec /rebuildbcd.
The bootrec command will search for Windows installations not included in the Boot
Configuration Data and then ask you if you'd like to add one or more to it.
Incorrect:
Not B. Bootsect.exe updates the master boot code for hard disk partitions to switch
between BOOTMGR and NTLDR. You can use this tool to restore the boot sector on your
computer. This tool replaces FixFAT and FixNTFS.
Not D. The bootcfg command is a Microsoft Windows Server 2003 utility that modifies the
Boot.ini file.
Reference: How To Rebuild the BCD in Windows
http://pcsupport.about.com/od/fixtheproblem/ht/rebuild-bcd-store-windows.htm
Active Directory Certificate Services server role installed and is configured to support key
archival and recovery.
You create a new Active Directory group named Group1.
You need to ensure that the members of Group1 can request a Key Recovery Agent
certificate.

The solution must minimize the permissions assigned to Group1.
Which two permissions should you assign to Group1? (Each correct answer presents part
of the solution. Choose two.)
A. Read
B. Auto enroll
C. Write
D. Enroll
E. Full control
Answer: A,D
Explanation:
See step 6 below.

To configure the Key Recovery Agent certificate template
✑ Open the Certificate Templates snap-in.
✑ In the console tree, right-click the Key Recovery Agent certificate template.
✑ Click Duplicate Template.
✑ In Template, type a new template display name, and then modify any other
optional properties as needed.
✑ On the Security tab, click Add, type the name of the users you want to issue the
key recovery agent certificates to, and then click OK.
✑ Under Group or user names, select the user names that you just added. Under
Permissions, select the Read and Enroll check boxes, and then click OK.
Reference: Identify a Key Recovery Agent

and SiteB.
What should you do?

B. Decrease the cost of the site link between SiteB and SiteC.
C. Disable site link bridging.
Answer: B
Explanation:
You need to configure Server1 to resolve queries for single-label DNS names.
Choose two.)
A. Run the Set-DNSServerGlobalNameZone cmdlet.

B. Modify the DNS suffix search list setting.
C. Modify the Primary DNS Suffix Devolution setting.
D. Create a zone named “.”.
E. Create a zone named GlobalNames.
F. Run the Set-DNSServerRootHint cmdlet.

Answer: A,E
Explanation:
Deploying a GlobalNames zone

The specific steps for deploying a GlobalNames zone can vary somewhat, depending on
the AD DS topology of your network.
Step 1: Create the GlobalNames zone (E)
Step 2: Enable GlobalNames zone support (A)
The Set-DnsServerGlobalNameZone cmdlet enables or disables single-label Domain
Name System (DNS) queries. It also changes configuration settings for a GlobalNames
zone.
Etc.
Reference: Deploying a GlobalNames Zone; Set-DnsServerGlobalNameZone
http://technet.microsoft.com/en-us/library/jj649907(v=wps.620).aspx
Your company has a main office and a remote office. The remote office is used for disaster
recovery.
contains member servers named Server1, Server2, Server3, and Server4. All servers run
Server1 and Server2 are located in the main office. Server3 and Server4 are located in the
remote office.
All servers have the Failover Clustering feature installed. The servers are configured as
nodes in a failover cluster named Cluster1. Storage is replicated between the main office
and the remote site.
You need to ensure that Cluster1 is available if two nodes in the same office fail.
What are two possible quorum configurations that achieve the goal? (Each correct answer

presents a complete solution. Choose two.)
A. No Majority: Disk Only

B. Node Majority
C. Node and File Share Majority
D. Node and Disk Majority
Answer: A,B
Explanation:
Depending on the quorum configuration option that you choose and your specific settings,
the cluster will be configured in one of the following quorum modes:
* (A) No majority (disk witness only)
* (B) Node majority (no witness)
* Node majority with witness (disk or file share)
Reference: Configure and Manage the Quorum in a Windows Server 2012 R2 Failover
Cluster
File Server Resource Manager role service installed.
You attempt to delete a classification property and you receive the error message as

You need to delete the isConfidential classification property.
What should you do?
A. Delete the classification rule that is assigned the isConfidential classification property.
B. Disable the classification rule that is assigned the isConfidential classification property.
C. Set files that have an isConfidential classification property value of Yes to No.
D. Clear the isConfidential classification property value of all files.
Answer: A
Explanation:
You would have to delete the classification rule in order to delete the classification property.
You discover that when users connect to app1.contoso.com, they are connected frequently
to a server that is not on their local subnet.
You need to ensure that when the users connect to app1.contoso.com, they connect to a
server on their local subnet. The connections must be distributed across the servers that
host app1.contoso.com on their subnet.
Which options should you select?

Answer:

Your network contains a DNS server named Server1. Server1 hosts a DNS zone for
contoso.com.
You need to ensure that DNS clients cache records from contoso.com for a maximum for
one hour.
Which value should you modify in the Start of Authority (SOA) record?
To answer, select the appropriate setting in the answer area.

Answer:
Explanation:
Minimum TTL - The minimum time-to-live value applies to all resource records in the zone
file. This value is supplied in query responses to inform other servers how long they should
keep the data in cache. The default value is 3,600.

You install the IP Address Management (IPAM) Server feature on a server named Server1
and select Manual as the provisioning method.
The IPAM database is located on a server named SQL1.
You need to configure IPAM to use Group Policy Based provisioning.
What command should you run first?
Answer:
Explanation:

The choice of a provisioning method is permanent for the current installation of IPAM
Server. To change the provisioning method, you must uninstall and reinstall IPAM Server.
You have a server named DNS1 that runs Windows Server 2012 R2.
You discover that the DNS resolution is slow when users try to access the company
intranet home page by using the URL http://companyhome.
You need to provide single-label name resolution for CompanyHome that is not dependent
on the suffix search order.
Which three cmdlets should you run? (Each correct answer presents part of the solution.
Choose three.)
A. Add-DnsServerPrimaryZone
B. Add-DnsServerResourceRecordCName
C. Set-DnsServerDsSetting
D. Set-DnsServerGlobalNameZone
E. Set-DnsServerEDns
F. Add-DnsServerDirectory Partition
Answer: A,B,D
Explanation:
You can use this task to create a GlobalNames zone to maintain a set of single-label,
Domain Name System (DNS) names that Windows Server 2008 DNS servers can resolve

on behalf of DNS clients throughout a single forest in Active Directory Domain Services
(AD DS).
Deploying a GlobalNames zone in a single forest requires that you perform the following
steps:
✑ (A) Create a zone named GlobalNames that replicates to all domain controllers in
the forest.
✑ (B) Add an alias (CNAME) record to the zone for each host for which you want to
provide single-label name resolution. For example, if you want DNS clients to be
able to access a server whose fully qualified domain name (FQDN) is
cweb.itgroup.contoso.com, add an alias (CNAME) resource record that maps the
name cweb to cweb.igroup.contoso.com.
Note:
A. The Add-DnsServerPrimaryZone cmdlet adds a specified primary zone on a Domain
Name System (DNS) server.
B. The Add-DnsServerResourceRecordCName cmdlet adds a canonical name (CNAME)
resource record to a specified Domain Name System (DNS) zone. A CNAME record allows
you to use more than one resource record to refer to a single host
D. The Set-DnsServerGlobalNameZone cmdlet enables or disables single-label Domain
Name System (DNS) queries. It also changes configuration settings for a GlobalNames
zone.
The GlobalNames zone supports short, easy-to-use names instead of fully qualified domain
names (FQDNs) without using Windows Internet Name Service (WINS) technology. For
instance, DNS can query SarahJonesDesktop instead of
SarahJonesDesktop.contoso.com.
Reference: Adding a GlobalNames zone to a forest
https://technet.microsoft.com/en-us/library/cc816717(v=ws.10).aspx
You plan to deploy a failover cluster that will contain two nodes that run Windows Server
2012 R2.
You need to configure a witness disk for the failover cluster.
How should you configure the witness disk?
To answer, drag the appropriate configurations to the correct location or locations. Each

configuration may be used once, more than once, or not at all. You may need to drag the
Answer:

Explanation:
Disk witness requirements include:

* Basic disk with a single volume
* Can be formatted with NTFS or ReFS
Topic 4, Volume D

The forest contains two sites named Main and Branch.
The Main site contains 400 desktop computers and the Branch site contains 150 desktop
computers.
All of the desktop computers run Windows 8. In Main, the network contains a member
server named Server1 that runs Windows Server 2012.
You install the Windows Server Update Services server role on Server1.
You need to ensure that Windows updates obtained from Windows Server Update Services
(WSUS) are the same for the computers in each site.
What should you do?
A. From the Update Services console, create computer groups.

B. From the Update Services console, configure the Computers options.
C. From the Group Policy Management console, configure the Windows Update settings.
D. From the Group Policy Management console, configure the Windows Anytime Upgrade
settings.
E. From the Update Services console, configure the Synchronization Schedule options.
Answer: C
Explanation:
Create one computer group for Main site and another group for Branch site. You can
deploy Windows updates by computer group.
2012 R2.
Server1 and Server2 have the Hyper-V server role installed.
Server1 and Server2 are configured as Hyper-V replicas of each other.
Server1 hosts a virtual machine named VM1. VM1 is replicated to Server2.
You need to verify whether the replica of VM1 on Server2 is functional.

The solution must ensure that VM1 remains accessible to clients.
What should you do from Hyper-V Manager?
A. On Server1, execute a Planned Failover

B. On Server1, execute a Test Failover
C. On Server2, execute a Planned Failover
D. On Server2, execute a Test Failover
Answer: B
A two-way forest trust exists between the forests. The contoso.com forest contains an
enterprise certification authority (CA) named Server1.
You implement cross-forest certificate enrollment between the contoso.com forest and the
adatum.com forest.
On Server1, you create a new certificate template named Template1.
You need to ensure that users in the adatum.com forest can request certificates that are
based on Template1.
A. DumpADO.ps1
B. Repadmin
C. Add-CATemplate
D. Certutil
E. PKISync.ps1
Answer: E
Explanation:
B. Repadmin.exe helps administrators diagnose Active Directory replication problems

between domain controllers running Microsoft Windows operating systems.

C. Adds a certificate template to the CA.
D. Use Certutil.exe to dump and display certification authority (CA) configuration
information, configure Certificate Services, backup and restore CA components, and verify
certificates, key pairs, and certificate chains.
E. PKISync.ps1 copies objects in the source forest to the target forest
http://technet.microsoft.com/en-us/library/ff955845(v=ws.10).aspx#BKMK_Consolidating
http://technet.microsoft.com/library/cc732443.aspx
http://technet.microsoft.com/en-us/library/ff961506(v=ws.10).aspx
Which permission should you assign on a CA to a group of users that you want to be able
to respond to certificate requests but you do not want to provide them with the ability to
change CA security settings?
A. Read
B. Issue And Manage Certificates
C. Manage CA
D. Request Certificates
Answer: B

Which of the following CA types must be deployed on domain-joined computers?
A. Enterprise root
B. Enterprise subordinate
C. Standalone root
D. Standalone subordinate
Answer: A,B
All servers run Windows Server 2012 R2.
You need to create a custom Active Directory Application partition.
A. Netdom
B. Ntdsutil
C. Dsmod
D. Dsamain
Answer: B
Explanation:
* To create or delete an application directory partition Open Command Prompt.

Type:ntdsutil
At the ntdsutil command prompt, type:domain management
At the domain management command prompt, type:connection
At the server connections command prompt, type:connect to server ServerName
At the server connections command prompt, type:quit
At the domain management command prompt, do one of the following:
* partition management
Manages directory partitions for Active Directory Domain Services (AD DS) or Active
Directory Lightweight Directory Services (AD LDS).
This is a subcommand of Ntdsutil and Dsmgmt. Ntdsutil and Dsmgmt are command-line

tools that are built into Windows Server 2008 and Windows Server 2008 R2.
/ partition management create nc %s1 %s2
Creates the application directory partition with distinguished name %s1, on the Active
Directory domain controller or AD LDS instance with full DNS name %s2. If you specify
"NULL" for %s2, this command uses the currently connected Active Directory domain
controller. Use this command only with AD DS. For AD LDS, use create nc %s1 %s2 %s3.
Note:
* An application directory partition is a directory partition that is replicated only to specific
domain controllers. A domain controller that participates in the replication of a particular
application directory partition hosts a replica of that partition.
You network contains one Active Directory domain named adatum.com. The domain
contains a DNS server named Server1 that runs Windows Server 2012 R2.
All domain computers use Server1 for DNS.
You sign adatum.com by using DNSSEC.
You need to configure the domain computers to validate DNS responses for adatum.com
records.
What should you configure in Group Policy?
A. Network List Manager Policies

B. Network Access Protection (NAP)
C. Name Resolution Policy
D. Public Key Policy
Answer: C
Explanation:
Name resolution policy needs to be configured in group policy.

"In both example 1 and example 2, validation is not required for the secure.contoso.com
zone because the Name Resolution Policy Table (NRPT) is not configured to require
validation.”

You have a server named LON-DC1 that runs Windows Server 2012 R2.
An iSCSI virtual disk named VirtuahSCSIl.vhd exists on LON-DC1 as shown in the exhibit.
iSCSI target.
What should you do?
A. Run the Set-IscsiVirtualDisk cmdlet and specify the -DevicePath parameter.

B. Run the iscsicpl command and specify the virtualdisklun parameter.
C. Modify the properties of the itgt ISCSI target.
D. Run the Set-VirtualDisk cmdlet and specify the -Uniqueld parameter.
Answer: D
Explanation:

Set-VirtualDisk
Modifies the attributes of an existing virtual disk.
Applies To: Windows Server 2012 R2
-UniqueId<String>
Specifies an ID used to uniquely identify a Disk object in the system. The ID persists
through restarts.
Note: Logical unit numbers (LUNs) created on an iSCSI disk storage subsystem are not
directly assigned to a server. For iSCSI, LUNs are assigned to logical entities called
targets.
Incorrect:
Not A: Set-IscsiVirtualDisk
Modifies the settings for the specified iSCSI virtual disk.
-Path<String> (alias: DevicePath)
Specifies the path of the virtual hard disk (VHD) file that is associated with the iSCSI virtual
disk. Filter the iSCSI Virtual Disk object using this parameter. Not B: iscsicpl.exe could is
the Microsoft iSCSI Initiator Configuration Tool. Microsoft Internet iSCSI Initiator enables
you to connect a host computer that is running Windows 7 or Windows Server 2008 R2 to
an external iSCSI-based storage array through an Ethernet network adapter.
The network contains a file server named Server1 that runs Windows Server 2012 R2.
You create a folder named Folder1.
You share Folder1 as Share1.
The NTFS permissions on Folder1 are shown in the Folder1 exhibit. (Click the Exhibit
button.)

The Everyone group has the Full control Share permission to Folder1.
You configure a central access policy as shown in the Central Access Policy exhibit. (Click
the Exhibit button.)
Members of the IT group report that they cannot modify the files in Folder1.

You need to ensure that the IT group members can modify the files in Folder1.
The solution must use central access policies to control the permissions.
Choose two.)
A. On the Classification tab of Folder1, set the classification to Information Technology.

B. On the Security tab of Folder1, add a conditional expression to the existing permission
entry for the IT group.
C. On Share1, assign the Change Share permission to the IT group.
D. On the Security tab of Folder1, remove the permission entry for the IT group.
E. On the Security tab of Folder1, assign the Modify permission to the Authenticated Users
group.
Answer: A,E
Explanation:
Central access policies for files enable organizations to centrally deploy and manage
authorization policies that include conditional expressions that use user groups, user
claims, device claims, and resource properties. (Claims are assertions about the attributes
of the object with which they are associated). For example, to access high-business-impact
(HBI) data, a user must be a full-time employee, obtain access from a managed device,
and log on with a smart card. These policies are defined and hosted in Active Directory
Domain Services (AD DS).
http://technet.microsoft.com/en- us/library/hh846167.aspx


Server1 has 2 dual-core processors and 16 GB of RAM.
You install the Hyper-V server role in Server1.
You plan to create two virtual machines on Server1.
You need to ensure that both virtual machines can use up to 8 GB of memory.
The solution must ensure that both virtual machines can be started simultaneously.
What should you configure on each virtual machine?
A. Dynamic Memory
B. NUMA topology
C. Memory weight
D. Ressource Control
Answer: A
Which of the following would you configure if you wanted to block computers running
Windows 7 and earlier operating systems from consuming AD RMS-protected content?
A. Trusted publishing domain

B. Trusted user domain
C. Exclusion policies
D. Super Users
Answer: C

The domain contains a domain controller named Dc1. DC1 has the DNS Server server role
installed.
The network has two sites named Site1 and Site2. Site1 uses 10.10.0.0/16 IP addresses
and Site2 uses 10.11.0.0/16 IP addresses.
All computers use DC1 as their DNS server. The domain contains four servers named
Server1, Server2, Server3, and Server4.
All of the servers run a service named Service1. DNS host records are configured as
You discover that computers from the 10.10.1.0/24 network always resolve Service1 to the
[P address of Server1.
You need to configure DNS on DC1 to distribute computers in Site1 between Server1 and
Server2 when the computers attempt to resolve Service1.
What should run on DC1?
A. dnscmd /config /bindsecondaries 1

B. dnscmd /config /localnetpriority 0
C. dnscmd /config /localnetprioritynetmask 0x0000ffff
D. dnscmd /config /roundrobin 0
Answer: C
Explanation:
A. Specifies use of fast transfer format used by legacy Berkeley Internet Name Domain
(BIND) servers. 1 enables
B. Disables netmask ordering.
C. You can use the Dnscmd /Config /LocalNetPriorityNetMask 0x0000FFFF command to
use class B ( or 16 bit) for netmask ordering for DNS round robin
D. Disables round robin rotation.
http://support.microsoft.com/kb/842197
You have a server named Server1. A Microsoft Azure Backup of Server1 is created
automatically every day.
You rename Server1 to Server2. you discover that backups are no longer created in Azure.
You need to backup the server to Azure.
What should you do?
A. From the Azure Management Portal, upload the Server2 certificae as a management
certificate.
B. On Server2, run the Start-OBRegistration cmdlet.
C. On Server2, run the Add-WBBackupTarget cmdlet.
D. From the Azure Management Portal, modify the configuration on the backup vault.
Answer: B
Explanation:
(https://azure.microsoft.com/pt-pt/documentation/articles/backup-azure-backup-faq)

You have a cluster named cluster1 that contains two nodes. both nodes run windows
server 2012 r2.
cluster1 hosts a virtual machine named vm1 that runs windows server 2012 r2.
you configure a custom service on vm1 named service1.
you need to ensure that vm1 will be moved to a different node3 if service1 fails.
which comdlet should you run on cluster1?
A. set-clusterresiurcedependency
B. add-clustergenericservicerole
C. enable-vmresourcemetering
D. add-clustervmmonitoreditem
Answer: B
The domain contains a main office and a branch office.
An Active Directory site exists for each office.
The domain contains two domain controllers.
DC1 hosts an Active Directory- integrated zone for contoso.com.
You add the DNS Server server role to DC2.
You discover that the contoso.com DNS zone fails to replicate to DC2.
You verify that the domain, schema, and configuration naming contexts replicate from DC1
to DC2.

You need to ensure that DC2 replicates the contoso.com zone by using Active Directory
replication.
A. Dnscmd
B. Dnslint
C. Repadmin
D. Ntdsutil
E. DNS Manager
F. Active Directory Sites and Services
G. Active Directory Domains and Trusts
H. Active Directory Users and Computers
Answer: F
Explanation:
http://technet.microsoft.com/en-us/library/cc739941(v=ws.10).aspx If you see question

about AD Replication, First preference is AD sites and services, then Repadmin and then
DNSLINT.
The domain contains client computers that run either Windows XP, Windows 7, or
Windows 8.
Network Policy Server (NPS) is deployed to the domain.
You plan to create a system health validator (SHV).
You need to identify which policy settings can be Applied to all of the computers.
Which three policy settings should you identify? (Each correct answer presents part of the
A. A firewall is enabled for all network connections.

B. An antispyware application is on.

C. Automatic updating is enabled.
D. Antivirus is up to date.
E. Antispyware is up to date.
Answer: A,C,D
Explanation:
* System health agent (SHA) is a NAP component.

* System health agent (SHA)
A component that checks the state of the client computer to determine whether the settings
monitored by the SHA are up-to-date and configured correctly. For example, the Windows
Security Health Agent (WSHA) can monitor Windows Firewall, whether antivirus software is
installed, enabled, and updated, whether antispyware software is installed, enabled, and
updated, and whether Microsoft Update Services is enabled and the computer has the
most recent security updates from Microsoft Update Services. There might also be SHAs
(and corresponding system health validators) available from other companies that provide
different functionality.
You run Get-FSRMClassificationule and you receive the following output

You have a file named file1 that is stored on drive D and has the following content
"111000000000111111"
You run the classification with all of the rules.

Answer:
Explanation:
(https://technet.microsoft.com/en-us/library/jj900627%28v=wps.630%29.aspx)

You are employed as a senior network administrator at ABC.com.
ABC.com has an Active Directory domain named ABC.com.
All servers on the ABC.com network have Windows Server 2012 R2 installed.
The ABC.com domain has an Active Directory site configured in London,and an Active
Directory site in New york.
You have been instructed to make sure that the synchronization of account lockout data
happens quicker.
A. You should consider editing the options attribute from WANLINK properties
B. You should consider editing the options attribute from LANLIK properties
C. You should consider editing the options attribute from the DEFAULTSITELINK
properties
D. You should consider editing the proxyAddressess attribute from the
DEFAULTIPSITELINK properties.
Answer: C
Explanation:

ABC.com has an active directory domain named ABC.com.
All servers on the abc.com network windows server2012 installed.
You are currently running a training exercise for junior network administrators.
You are discussing the PKISync.ps1 tool.
Which of the following is true with regards to The PKISync.ps1?
A. it adds a certificate template to the CA

B. it asssists administrators in diagnosing replication problems between windows domain
controllers
C. it is used to display information about the digital certificates that are installed on a
directAccess client, DirectAcces server,or intranet resource
D. it copies objects in the source forest to the target forest

Answer: D
Your network contains one Active Directory forest named contoso.com.
The forest contains two child domains and six domain controllers.
You need to add an additional UPN Suffix.
A. Set-ADSite
C. Set-ADDomain
E. Set-ADGroup
F. Set-ADForest
G. Netdom
Answer: F
Explanation:
https://technet.microsoft.com/en-us/library/dd391925(v=ws.10).aspx

Which of the following CA types would you deploy if you wanted to deploy a CA at the top
of a hierarchy that could issue signing certificates to other CAs and which would be taken
offline if not issuing, renewing, or revoking signing certificates?
A. Enterprise root
B. Enterprise subordinate
C. Standalone root
D. Standalone subordinate
Answer: C
You have moved several domain controllers out of your organization's head office site to a
new secondary datacenter that has its own site.
Which of the following consoles should be used to update the site association of these
domain controllers?

B. Active Directory Users and Computers
C. Active Directory Sites And Services
D. Active Directory Domains And Trusts
Answer: C
The domain contains a domain controller named DC1 that runs Windows Server 2012 R2.
DC1 has the DNS Server server role installed.
You have a zone named adatum.com as shown in the exhibit. (Click the Exhibit button.)

What should you do?
A. Sign the zone.

B. Store the zone in Active Directory.
C. Modify the Security settings of the zone.
E. Add a DNSKEY record.
Answer: B,D

Explanation:

Your network contains servers that run Windows Server 2012 R2.
The network contains a large number of iSCSI storage locations and iSCSI clients.
You need to deploy a central repository that can discover and list iSCSI resources on the
network automatically.
Which feature should you deploy?
A. the Windows Standards-Based Storage Management feature

B. the iSCSI Target Server role service
C. the iSCSI Target Storage Provider feature
D. the iSNS Server service feature
Answer: D
Explanation:
A. Windows Server 2012 R2 enables storage management that is comprehensive and fully
scriptable, and administrators can manage it remotely.
A WMI-based interface provides a single mechanism through which to manage all storage,
including non-Microsoft intelligent storage subsystems and virtualized local storage (known
as Storage Spaces). Additionally, management applications can use a single Windows API
to manage different storage types by using standards- based protocols such as Storage
Management Initiative Specification (SMI-S).
B. Targets are created in order to manage the connections between an iSCSI device and
the servers that need to access it. A target defines the portals (IP addresses) that can be
used to connect to the iSCSI device, as well as the security settings (if any) that the iSCSI
device requires in order to authenticate the servers that are requesting access to its
resources.
C. iSCSI Target Storage Provider enables applications on a server that is connected to an
iSCSI target to perform volume shadow copies of data on iSCSI virtual disks. It also
enables you to manage iSCSI virtual disks by using older applications that require a Virtual
Disk Service (VDS) hardware provider, such as the Diskraid command.
D. The Internet Storage Name Service (iSNS) protocol is used for interaction between

iSNS servers and iSNS clients. iSNS clients are computers, also known as initiators, that
are attempting to discover storage devices, also known as targets, on an Ethernet network.
The domain contains a server named Server1 that runs Windows Server 2012 R2.
You need to ensure that a WIM file that is located on a network share is used as the
installation source when installing server roles and features on Server1.
Choose two.)

A. Run the dism.exe command and specify the /remove-package parameter.
B. Run the Remove-WindowsFeature cmdlet.
C. Enable and configure the Specify settings for optional component installation and
component repair policy setting by using a Group Policy object (GPO).
D. Enable the Enforce upgrade component rules policy setting by using a Group Policy
object (GPO).
E. Run the Remove-WindowsPackage cmdlet.
Answer: A,C
Explanation:
A: To remove packages from an offline image by using DISM Example:

At a command prompt, specify the package identity to remove it from the image.
You can remove multiple packages on one command line.
DISM /Image:C:\test\offline /Remove-Package
/PackageName:Microsoft.Windows.Calc.Demo~6595b6144ccf1df~x86~en~1.0.0.0
/PackageName:Microsoft-Windows-
MediaPlayerPackage~31bf3856ad364e35~x86~~6.1.6801.0
C:
* You can use Group Policy to specify a Windows image repair source to use within your
network. The repair source can be used to restore Windows features or to repair a
corrupted Windows image.
* Set Group Policy
You can use Group Policy to specify when to use Windows Update, or a network location
as a repair source for features on demand and automatic corruption repair. To configure
Group Policy for Feature on Demand
Open the group policy editor. For example, on a computer that is running Windows?8, click
Search, click Settings, type Edit Group Policy, and then select the Edit Group Policy
setting. Click Computer Configuration, click Administrative Templates, click System, and
then double-click the Specify settings for optional component uninstallation and component
repair setting. Select the settings that you want to use for Features on Demand.
Note:
* The Windows Imaging Format (WIM) is a file-based disk image format. It was developed
by Microsoft to help deploy Windows Vista and subsequent versions of Windows operating
system family, as well as Windows Fundamentals for Legacy PCs.

The domain contains a server named Server1 that runs Windows Server 2012 R2.
Server1 is an enterprise root certification authority (CA) for contoso.com.
You need to ensure that the members of a group named Group1 can request code signing
certificates.
The certificates must be issued automatically to the members.
Choose two.)
A. From Certificate Templates, modify the certificate template.

B. From Certification Authority, add a certificate template to be issued.
C. From Certificate Authority, modify the CA properties.
D. From Certificate Templates, duplicate a certificate template.
E. From Certificate Authority, stop and start the Active Directory Certificate Services (AD
CS) service.
Answer: A,D
Explanation:
The correct answers should be A and D: First duplicate it, then modify it
http://blogs.technet.com/b/deploymentguys/archive/2013/06/14/signing-windows-8-
applications-using-an-internal-pki.aspx
The section on “Creating a Custom Certificate Template” shows steps to create and
states…
…”New certificate templates are created by copying an existing template and using the
existing template’s properties as the default for the new template. Copy the existing
certificate template closest to the configuration of the intended new template to minimize
the work necessary.”
This is step 2 in the creation process. Step 4 is to make desired changes.
Building an Enterprise Root Certification Authority in Small and Medium Businesses


The forest contains two domains named contoso.com and fabrikam.com.
The functional level of the forest is Windows Server 2003.
You have a domain outside the forest named litwareinc.com.
You need to configure an access solution to meet the following requirements:
✑ Users in litwareinc.com must be able to access resources on a server named

Server1 in contoso.com.
✑ Users in the contoso.com forest must be prevented from accessing any resources
in litwareinc.com.
✑ Users in litwareinc.com must be prevented from accessing any other resources in
the contoso.com forest.
Which three actions should you perform? (Each correct answer presents part of the
A. Configure SID filtering on the trust.

B. Configure forest-wide authentication on the trust.
C. Create a one-way forest trust.
D. Create a one-way external trust
E. Modify the permission on the Server1 object.
F. Configure selective authentication on the trust.
Answer: D,E,F
Your network contains a Hyper-V host named Server1 that hosts 20 virtual machines.
You need to view the amount of memory resources and processor resources each virtual
machine uses currently.
Which tool should you use on Server1?
A. Hyper-V Manager

B. Windows System Resource Manager (WSRM)
C. Task Manager
D. Resource Monitor
Answer: A
Explanation:
You get it from the Hyper-V Manager
ABC.com has two servers,named SERVER1 and SERVER2 which are configured in a two-
node failover cluster.
Server1 includes a folder,named ABCAppData,which is configured as a Distributed File

System (DFS) name space folder target.
After configuring another two nodes in the failover cluster, you are instructed to make sure
that access to ABC AppData is highly available.
You also have to make sure that application data is replicated to ABCAppData via DFS
replication.
Which following actions should you take ?
A. You should consider configuring a scale-out File Server

B. You should consider configuring the replication settings for the cluster
C. You should consider configuring a file server for general use
D. You should consider configuring the Quorum settings
Answer: A
Explanation:

Which of the following must you back up or have a copy of to be able to ensure that you
can restore an AD RMS cluster in the event that a single server hosting all AD RMS
components suffers complete data loss? (Choose three answers.)
A. Cluster key password

B. Trusted publishing domain
C. Trusted user domain
D. AD RMS databases
Answer: A,B,D
The domain contains a main office and a branch office. An Active Directory site exists for
each office.
The domain contains two servers named Server1 and Server2 that run Windows Server
2012 R2.
Both servers have the DHCP Server server role installed. Server1 is located in the main
office site.
Server2 is located in the branch office site. Server1 provides IPv4 addresses to the client
computers in the main office site.
Server2 provides IPv4 addresses to the client computers in the branch office site.
You need to ensure that if either Server1 or Server2 are offline, the client computers can
still obtain IPv4 addresses.
✑ The storage location of the DHCP databases must not be a single point of failure.
✑ Server1 must provide IPv4 addresses to the client computers in the branch office
site only if Server2 is offline.
✑ Server2 must provide IPv4 addresses to the client computers in the main office
site only if Server1 is offline.
Which configuration should you use?
A. load sharing mode failover partners

B. a failover cluster
C. hot standby mode failover partners
D. a Network Load Balancing (NLB) cluster
Answer: C
Explanation:
A. The load sharing mode of operation is best suited to deployments where both servers in
a failover relationship are located at the same physical site.
B. Hot standby mode of operation is best suited to deployments where a central office or
data center server acts as a standby backup server to a server at a remote site, which is
local to the DHCP clients
C. Needs to be a DHCP Failover option
D. Needs to be a DHCP Failover option
http://blogs.technet.com/b/teamdhcp/archive/2012/09/03/dhcp-failover-hot-
standbymode.aspx
Your network contains two Active Directory forests named contoso.com and fabrikam.com.
The contoso.com forest contains two domains named corp.contoso.com and contoso.com.
You establish a two-way forest trust between contoso.com and fabrikam.com.
Users from the corp.contoso.com domain report that they cannot log on to client computers
in the fabrikam.com domain by using their corp.contoso.com user account.

When they try to log on, they receive following error message:
"The computer you are signing into is protected by an authentication firewall. The specified
account is not allowed to authenticate to the computer."
Corp.contoso.com users can log on successfully to client computers in the contoso.com

domain by using their corp.contoso.com user account credentials.
You need to allow users from the corp.contoso.com domain to log on to the client
computers in the fabrikam.com forest.
What should you do?
A. Configure Windows Firewall with Advanced Security.

B. Enable SID history.
C. Configure forest-wide authentication.
D. Instruct the users to log on by using a user principal name (UPN).
Answer: C
Explanation:
The forest-wide authentication setting permits unrestricted access by any users in the
trusted forest to all available shared resources in any of the domains in the trusting forest.

Your network contains one Active Directory forest named adatum.com.
The forest contains a single domain.
The site topology for the forest is shown in the exhibit.
Each site contain s one domain controller.
You need to ensure that replication between site2 and site4 occurs in 15 minutes or less.
What command should you run? To answer select the appropriate options in the answer
area.
Answer Area
Answer:
Explanation:
(Specifically look up - ReplicationFrequencyinMinutes)

https://technet.microsoft.com/en-us/%5Clibrary/Hh852257(v=WPS.630).aspx
You are employed as a network administrator at ABC.com.

ALL servers on the ABC.com network have Windows Server 2012 R2.
ABC.com has a server,named server 1, which runs the windows deployment services
server role.
You make use of windows server backup to back up server 1.
Subsequent to a disk array on server 1 becoming corrupt,you swap the disk array with new
hardware.
You now need to recover server1 in the shortest time conceivable.
Which of the following actions should you take?
A. you should consider making use of the Windows Server 2012 R2 installation media to
start server1
B. you should consider restoring server1 from a snapshot backup
C. you should consider restoring server 1 from an incremental backup
D. you should consider restoring server 1 from a differential backup
Answer: A
The Wingtip Toys forest hosts a web application that users in the Tailspin Toys forest need
to access.
You are the system administrator at Wingtip Toys. A single federation server is present in
each forest and you are configuring a federated trust.
Which of the following statements are true about the deployment solution? (Choose all that
apply.)
A. The AD FS server in the Tailspin Toys forest will function as the claims-provider server.
B. The AD FS server in the Tailspin Toys forest will function as the relying-party server.
C. Configure a relying-party trust on the Wingtip Toys AD FS server.
D. Configure a claims-provider trust on the Wingtip Toys AD FS server.
Answer: A,D

Your network contains two Active Directory forests named contoso.com and fabrikam.com.
A two- way forest trust exists between the forests.
The contoso.com forest contains an enterprise certification authority (CA) named CAl.
You implement cross-forest certificate enrollment between the contoso.com forest and the
fabrikam.com forest.
On CA1, you create a new certificate template named Template1.
You need to ensure that users in the fabrikam.com forest can request certificates that are
based on Template1.
A. Sync-ADObject
B. Pkiview.msc
C. CertificateServices.ps1
D. Certutil
E. PKISync.ps1
Answer: E
Explanation:
A. Replicates a single object between any two domain controllers that have partitions in
common.
B. Monitoring and troubleshooting the health of all certification authorities (CAs) in a public
key infrastructure (PKI) are essential administrative tasks facilitated by the Enterprise PKI
snap-in.
D. use Certutil.exe to dump and display certification authority (CA) configuration
information, configure Certificate Services, backup and restore CA components, and verify
certificates, key pairs, and certificate chains.
E. PKISync.ps1 copies objects in the source forest to the target forest
http://technet.microsoft.com/en-us/library/ff955845(v=ws.10).aspx

You are about to promote a server running the Windows Server 2012 R2 operating system
to domain controller.
The domain is currently running at the Windows Server 2008 domain functional level.
Your account is a member of the Domain Admins group.
Which additional groups should your account be a member of to ensure that the
environment is appropriately configured for this domain controller running Windows Server
2012 R2? (Choose two. Each answer forms part of a complete solution.)
A. Schema Admins
B. Enterprise Admins
C. Account Operators
D. Server Operators
Answer: A,B

Which security groups must a user account be a member of to modify the AD RMS SCP?
(Choose two answers. Each answer forms part of a complete solution.)
A. Domain Admins
B. AD RMS Enterprise Administrators
C. Enterprise Admins
D. Cryptographic Operators.
Answer: B,C
You have the following Microsoft Azure backup policy.


Answer:
The Wingtip Toys forest hosts a web application that users in the Tailspin Toys forest need
to access.
You are the system administrator at Tailspin Toys. A single federation server is present in
each forest and you are configuring a federated trust.
Which of the following statements are true about the deployment solution? (Choose all that
apply.)
A. The AD FS server in the Wingtip Toys forest will function as the claims-provider server.
B. The AD FS server in the Wingtip Toys forest will function as the relying-party server.
C. You need to configure a relying-party trust on the AD FS server in the Tailspin Toys
forest.
D. You need to configure a claims-provider trust on the AD FS server in the Tailspin Toys
forest.
Answer: B,C
You create a Data Collector Set (DCS) named DCS1.
You need to configure DCS1 to log data to D:\logs.
What should you do?

A. Right-click DCS1 and click Data Manager...
B. Right-click DCS1 and click Save Template...
C. Right-click DCS1 and click Properties.
D. Right-click DCS1 and click Export list...
Answer: C
Explanation:
It is under the Directory tab from the DCS properties.

You have a DHCP server named Server1.
Server1 has an IP address 192.168.1.2 is located on a subnet that has a network ID of

192.168.1.0/24.
On Server1, you create the scopes shown in the following table.
You need to ensure that Server1 can assign IP addresses from both scopes to the DHCP
clients on the local subnet.
What should you create on Server1?
A. A scope
B. A superscope
C. A split-scope
D. A multicast scope
Answer: B
Explanation:

A. A scope is an administrative grouping of IP addresses for computers on a subnet that
use the Dynamic Host Configuration Protocol (DHCP) service. The administrator first
creates a scope for each physical subnet and then uses the scope to define the parameters
used by clients.
B. A superscope is an administrative feature of Dynamic Host Configuration Protocol
(DHCP) servers running Windows Server 2008 that you can create and manage by using
the DHCP Microsoft Management Console (MMC) snap-in. By using a superscope, you
can group multiple scopes as a single administrative entity.
D. Multicasting is the sending of network traffic to a group of endpointsdestination hosts.
Only those members in the group of endpoints hosts that are listening for the multicast
traffic (the multicast group) process the multicast traffic.
The domain contains a server named Server1 that runs Windows Server 2012 R2 and has
the DHCP Server server role installed.
Server1 has a scope named Scope1. A policy named Policy1 is configured for Scope1.
Policy1 is configured to provide Hyper-V virtual machines a one-day lease.
All other computers receive an eight-day lease.

You implement an additional DHCP server named Server2 that runs Windows Server 2012
R2.
On Server1, you configure Scopel for DHCP failover.
You discover that virtual machines that receive IP addresses from Server2 have a lease
duration of eight days.
You need to ensure that when Server2 assigns IP addresses to the Hyper-V virtual
machines, the lease duration is one day.
The solution must ensure that other computers that receive IP addresses from Server2
have a lease duration of eight days.
What should you do?
A. On Server2, right-click Scope1, and then click Reconcile.

B. On Server1, right-click Scope1, and then click Replicate Scope.
C. On Server2, create a new DHCP policy.
D. On Server1, delete Policy1, and then recreate the policy.
Answer: B
Explanation:
Scope 1 has been set up for DHCP failover. Now we need to replicate it from Server1 to
Server2.
Which group policy item should you configure to enable automatic reenrollment of
certificates?
A. Certificate Path Validation Settings

B. Certificate Services Client - Certificate Enrollment Policy
C. Certificate Services Client - Auto-Enrollment
D. Trusted Root Certification Authorities
Answer: C

On Dc1, you open DNS Manager as shown in the exhibit. (Click the Exhibit button.)
You need to change the replication scope of the contoso.com zone.
What should you do before you change the replication scope?
A. Modify the Zone Transfers settings.

B. Add DC1 to the Name Servers list.
C. Add your user account to the Security settings of the zone.
D. Unsign the zone.
Answer: D

Explanation:
Lock icon signifies that the Zone has been signed. Changes to the zone are blocked when
signed
http://www.microsoft.com/en-us/download/dlx/ThankYou.aspx?id=29018
You need to configure Server1 to create an entry in an event log when the processor usage
exceeds 60 percent.
Which type of data collector should you create?
A. an event trace data collector

B. a performance counter data collector
C. a performance counter alert
D. a configuration data collector
Answer: C
You perform a full installation of Windows Server 2012 R2 on a virtual machine named
Server1.
You plan to use Server1 as a reference image.
You need to minimize the amount of storage space used by the Windows Server 2012 R2
installation.

A. Remove-Module
B. Optimize-VHD
C. Optimize-Volume
D. Uninstall-WindowsFeature
Answer: B
Explanation:
The Optimize-VHD cmdlet optimizes the allocation of space in or more virtual hard disk
files, except for fixed virtual hard disks. The Compact operation is used to optimize the
files.
This operation reclaims unused blocks as well as rearranges the blocks to be more
efficiently packed, which reduces the size of a virtual hard disk file.
Reference: Optimize-VHD
Data Deduplication is enabled on drive D of Server1.
You need to exclude D:\Folder1 from Data Deduplication.
A. Disk Management in Computer Management

B. File and Storage Services in Server Manager
C. the classification rules in File Server Resource Manager (FSRM)
D. the properties of D:\Folder1

Answer: B
Explanation:
Data deduplication exclusion on a Volume are set from File & Storage Services, Server
Manager or PowerShell
Server1 has a signed zone for contoso.com.
You need to configure DNS clients to perform DNSSEC validation for the contoso.com
DNS domain.

A. The Network Connection settings
B. A Name Resolution Policy
C. The Network Location settings
D. The DNS Client settings
Answer: B
Explanation:
In a DNSSEC deployment, validation of DNS queries by client computers is enabled

through configuration of IPSEC & NRPT
All servers run Windows Server 2012 R2. The domain contains a file server named
Server1.
The domain contains a domain controller named DC1.
Server1 contains three shared folders.
The folders are configured as shown in the following table.

Folder2 has a conditional expression of User.Department= = MMarketing".
You discover that a user named User1 cannot access \\Server1\folder2. User1 can access
\\Server1\folderl and \\Server1\folder3.
You verify the group membership of User1 as shown in the Member Of exhibit. (Click the
Exhibit button.)

You verify the organization information of User1 as shown in the Organization exhibit.

You verify the general properties of User1 as shown in the General exhibit. (Click the
Exhibit button.)

You need to ensure that User1 can access the contents of \\Server1\folder2.
What should you do?
A. From a Group Policy object (GPO), set the Support for Dynamic Access Control and
Kerberos armoring setting to Always provide claims.
B. Change the department attribute of User1.
C. Grant the Full Control NTFS permissions on Folder2 to User1.
D. Remove Userl1from the Accounting global group.
Answer: B

Explanation:
Conditional Expression and users Department must match

You are configuring AD FS. Which server should you deploy on your organization's
perimeter network?
A. Web appplication proxy

B. Relying-party server
C. Federation server
D. Claims-provider server
Answer: A
You are employed as a network administrator at contoso.com.
contoso.com has a single Active Directory domain named contoso.com.
All servers on the Contoso.com network have Windows Server 2012 R2 installed.
Contoso.com has two servers,named server1 and server2 which are configured in a two-
node fail over cluster.
You are currently configuration the quorum settings for the cluster.
You want to make use of a quorum mode that allows each node to vote if it is available and
in communication.
Which of the following is the mode you should use?
A. Node Majority
B. Node and Disk Majority
C. Node and File Share Majority

D. No Majority:Disk Only
Answer: A
Explanation:
A. Allows each node to vote

B. Allows each node and a disk witness to vote
C. Allows each node and a File share witness to vote
D. Allows one node with a specified disk to have quorum
You are employed as a network administrator at ABC.com. ABC.com has an Active

Directory domain named ABC.com.
You have been instructed to configure a custom Windows Recovery Environmen(Windows

RE) image that should allow for a drive is mapped automatically to a network share in the
event that a server is started using the image.
A. You should consider configuring the startnet.cmd in the image

B. You should consider configuring the startup.exe command included in the image.
C. You should consider configuring the ntdsutil command included in the image
D. You should consider configuring the certutil.exe command included in the image
Answer: A

You have a cluster named Cluster1 that contains two nodes. Both nodes run Windows
Server 2012 R2.
Cluster1 hosts a virtual machine named VM1 that runs Windows Server 2012 R2.
You notice that VM1 is marked as being in a critical state in the cluster.
You verify that VM1 is functioning correctly.
You need to ensure that VM1 is no longer marked as being in a critical state.
A. Remove-ClusterVmMonitoredItem
B. Remove-ClusterResourceDependency
C. Reset-ClusterVMMonitoredState
D. Clear-ClusterNode
Answer: C
Explanation:
Remove-ClusterVmMonitoredItem actually removes the monitoring so nothing will happen

Remove-ClusterResourceDependency - self explanatory has to do with dependencies, not
critical state
Reset-ClusterVMMonitoredState - This cmdlet resets the Application Critical state of a
virtual machine, so that the virtual machine is no longer marked as being in a critical state
in the cluster Clear-ClusterNode - This cmdlet helps ensure that the failover cluster
configuration has been completely removed from a node that was evicted.
https://technet.microsoft.com/en-us/%5Clibrary/Hh847312(v=WPS.630).aspx
Server1 has the File Server Resource Manager role service installed.

You attempt to delete a classification property and you receive the error message as
You need to delete the is Confidential classification property.
What should you do?
A. Delete the classification rule that is assigned the is Confidential classification property
B. Disable the classification rule that is assigned the is Confidential classification property
C. Set files that have an is Confidential classification property value of Yes to No
D. Clear the is Confidential classification property value of all files
Answer: A
Explanation:
What is the File Classification Infrastructure?

The Windows Server 2008 R2 File Classification Infrastructure (FCI) automates
classification processes so that you can manage your data more effectively.
You can save money and reduce risk by storing and retaining files based on their business
value or impact. The built-in solution for file classification provides expiration, custom tasks,
and reporting. The extensible infrastructure enables you to meet additional customer
classification needs by building rich end-to-end classification solutions that are built on the
classification foundation of Windows Server in a consistent and supported way and within
the existing Windows file serving platforms.

There are 42 domains in the tailspintoys.com forest. Users in the Melbourne.victoria.
australia.tailspintoys.com find the process of authenticating to resources in the
Copenhagen. denmark.europe.tailspintoys.com domain to be much too slow.
Which of the following steps can you take to speed up authentication between these
domains?
A. Create a forest trust.

B. Create an external trust.
C. Create a shortcut trust.
D. Configure name suffix routing.
Answer: C
Your network contains an Active Directory domain named adatum.com.
On Dc1, you open DNS Manager as shown in the exhibit. (Click the Exhibit button.)
You need to change the zone type of the contoso.com zone from an Active Directory-
integrated zone to a standard primary zone.
What should you do before you change the zone type?

A. Unsign the zone.
B. Modify the Zone Signing Key (ZSK).
C. Modify the Key Signing Key (KSK).
D. Change the Key Master.
Answer: A
Explanation:
A. Lock icon indicating that it is currently signed with DNSSEC, zone must be unsignes
B. An authentication key that corresponds to a private key used to sign a zone.
C. The KSK is an authentication key that corresponds to a private key used to sign one or
more other signing keys for a given zone.
Typically, the private key corresponding to a KSK will sign a ZSK, which in turn has a
corresponding private key that will sign other zone data.
D.

At present, the subnet 192.168.15.0/24 is associated with the Brisbane site.
You want to instead associate this subnet with the Melbourne site.
Which of the following steps can you take to resolve this problem?
A. Use the Active Directory Sites And Services console to edit the properties of the
192.168.15.0/24 subnet.
B. Use the Active Directory Sites And Services console to edit the properties of the
Melbourne site.
C. Use the Active Directory Sites And Services console to edit the properties of the
Brisbane site.
D. Use the Active Directory Domains And Trusts console to edit the properties of the
192.168.15.0/24 subnet.
Answer: A
The domain contains two member servers named Server1 and Server2.
All servers run Windows Server 2012 R2. Server1 and Server2 have the Failover
Clustering feature installed.
The servers are configured as nodes in a failover cluster named Cluster1.
Cluster1 has access to four physical disks.
The disks are configured as shown in the following table.
You need to identify which disk can be added to a Clustered Storage Space in Cluster1.

Which disk should you identify?
A. Disk1
B. Disk2
C. Disk3
D. Disk4
Answer: B
The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1
has the IP Address Management (IPAM) Server feature installed.
IPAM is configured currently for Group Policy- based provisioning.
You need to change the IPAM provisioning method on Server1.
What should you do?
A. Run the ipamgc.exe command.

B. Run the Set-IPAMConfiguration cmdlet.
C. Reinstall the IP Address Management (IPAM) Server feature.
D. Delete IPAM Group Policy objects (GPOs) from the domain.
Answer: C
Explanation:
You cannot change the provisioning method after completing the initial setup.

You are employed as a senior network administrator at contoso.com.
Contoso.com has a single Active Directory Domain named contoso.com.
All servers on the contoso.com network have Windows Server 2012 R2 installed.
You are running a training exercise for junior network administrator.
You are currently discussing the Dnslint.exe tool.
Which of the following should this tool be used for ? (Choose all that apply)
A. To help diagnose common DNS name resolution issues

B. For developing scripts for configuring a DNS server
C. To administer the DNS server Service.
D. To look for specific DNS record set and sure that they are consistent across multiple
DNS servers.
E. To verify that DNS records used specifially for Active Directory replication are correct
F. To Create and delete zones and resource records.
Answer: A,D,E
Explanation:
http://support.microsoft.com/kb/321045

The domain contains two organizational units (OUs) named OU1 and OU2 in the root of the
domain.
Two Group Policy objects (GPOs) named GPO1 and GPO2 are created. GPO1 is linked to
OU1.
GPO2 is linked to OU2. OU1 contains a client computer named Computer1.
OU2 contains a user named User1.
You need to ensure that the GPOs Applied to Computer1areApplied to User1 when User1
logs on.

A. Item-level targeting
B. Block Inheritance
C. GPO links
D. The Enforced setting
Answer: A
Your network uses the 192.168.2.0/23 address space.
You are configuring video conferencing infrastructure.
You need to configure the dhcp server to lease ip address for multicast address for video
conferencing.
What command should you run on the dhcp server? To answer,select the apprperiate
options in the answer area
add-dhcpserverv4multicastscope -name "vc scope" -startscope [Start Range] [End Range]
192.168.2.10 192.168.2.255
225.0.0.10 225.0.0.250
239.0.0.1 240.0.0.0
fd80:: fe80:
ff00:: ff02:
A. 225.0.0.10 225.0.0.250
B. 225.0.0.10 225.0.0.251
C. 225.0.0.11 225.0.0.250
D. 225.0.0.10 225.0.0.255
Answer: A
Explanation:
https://technet.microsoft.com/en-us/library/cc758554(v=ws.10).aspx

The forest contains a single domain. The domain contains three domain controllers.
You discover that when you run Group Policy Results from Group Policy Management, the
settings from site-linked Group Policy objects (GPOs) fail to appear in the results.
You need to ensure that the settings from site-linked GPOs appear in the results.
A. Run adprep on DC3 by using Windows Server 2012 R2 installation media.

B. Transfer the infrastructure master role to DC3.
C. Upgrade DC2 to Windows Server 2012 R2.
D. Run adprep on DC1 by using Windows Server 2003 installation media.
Answer: A
Explanation:
In this scenario a Windows 2012 server has been added to a Windows 2003 network.
Note:
* Before adding your new Windows 2012 Domain Controller, or attempting to perform an
inplace upgrade of an existing Windows 2008 or 2008 R2 DC, you must make sure that the
Schema is upgraded to support your new Windows 2012 DC, and that you prepare each
domain where you plan to install Windows 2012 DCs. To do this we can use the
ADPREP.exe tool found in the support\adprep folder on your installation media.
* Starting with Windows 2012 there is only one version of ADPREP available, and that is a
64-bit version.
* Adprep is the utility--included in the OS installation media--that performs several crucial
functions to upgrade AD to support that OS. The utility has three major options: /forestprep,
/domainprep, and /rodcprep. The /forestprep option runs first, extending the AD schema

with new object and attribute classes that the new AD version needs.
The /domainprep option creates new well-known objects in AD, App1ies security changes,
and miscellaneous other bits. Finally, /rodcprep makes forest-wide security changes to
allow read-only domain controller (RODC) functionality. The Windows Server 2012 R2
version of adprep.exe can run on any server that runs a 64- bit version of Windows Server
2008 or later. Reference: How to add a Windows Server 2012 R2 domain controller to an
existing Windows 2008 domain
http://www.ipuptime.net/Multicast.aspx
http://technet.microsoft.com/en-us/library/gg144561(v=exchg.141).aspx
http://en.wikipedia.org/wiki/Unique_local_address
Which of the following is the minimum domain functional level required before you can
promote a member server running Windows Server 2012 R2 so that it functions as a
domain controller?
A. Windows Server 2003

B. Windows Server 2008
C. Windows Server 2008 R2
D. Windows Server 2012
Answer: A
The domain contains two domain controllers.

DC1 hosts an Active Directory-integrated zone for contoso.com.
to DC2.
replication.
A. Active Directory Sites and Services

B. Ntdsutil
C. DNS Manager
D. Active Directory Domains and Trusts
Answer: A
Explanation:
A. To control replication between two sites, you can use the Active Directory Sites and
Services snap- in to configure settings on the site link object to which the sites are added.
By configuring settings on a site link, you can control when replication occurs between two
or more sites, and how often.
B. Ntdsutil.exe is a command-line tool that provides management facilities for Active
Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services
(AD LDS). You can use the ntdsutil commands to perform database maintenance of AD
DS, manage and control single master operations, and remove metadata left behind by
domain controllers that were removed from the network without being properly uninstalled.
C. DNS Manager is the tool you'll use to manage local and remote DNS Servers
D. Active Directory Domains and Trusts is the Microsoft Management Console (MMC)
snap-in that you can use to administer domain trusts, domain and forest functional levels,
and user principal name (UPN) suffixes.

Note: If you see question about AD Replication, First preference is AD sites and services,
then Repadmin and then DNSLINT.
your network contains one Active Directory forest named contoso.com.
The domain contains the domain controllers is configured as shown in the following table.
NameSite
DC1 Site1
DC2 Site2
DC3 Site3
DC4 Site4
The replication topology is configured as shown in the following output.
Cost : 100
DistinguishedName : CN=SiteLink1, CN=IP, CN=Inter-Site Transports, CN=Sites,

CN=Configuration, Dc=Adatum, DC=com
Name : SiteLink1
ObjectClass : SiteLink
ObjectGUID : e1c8c335-b75f-4612-8a9e-58a0edead21f
ReplInterval : 60

SiteList : {CN=Site4, CN=Sites, CN=Configuration, DC=Adatum, DC=Adatum, DC=com,
CN=Site2, CN=Sites, CN=Configuration, DC=Adatum, DC=Adatum, DC=com}
Cost : 100

Name : SiteLink2
ObjectClass :SiteLink
ObjectGUID : 9516948e-cd56-4a9b-b6ba-cdf3dd7fe0d1
ReplInterval : 60
Cost : 100

Name : SiteLink3
ObjectGUID : 07a7a37e-a12c-40c4-8042-f5d2e737b8a9
ReplInterval : 60
Cost : 400

Name : SiteLink4
ObjectGUID : 508810dc-30fd-4845-982a-d4552fba2e04 ReplInterval : 45 SiteList :

{CN=Site4, CN=Sites, CN=Configuration, DC=Adatum, DC=Adatum, DC=com,

You discover that replication between Dc1 and DC3 takes a few hours.
You need to reduce the amount of time it takes to replicate Active Directory changes
between DC1 and DC3.
What should you do?
A. Create a site link that connects Site1 and Site3, has a cost of 350, and replicates every
15 minutes.
B. Modify SiteLink4 to replicate every 15 minute.
C. Disable Site Link bridging.
D. Set the cost of SiteLink4 to 100.
Answer: D
All domain controllers run Windows Server 2012 R2. The domain contains two domain
controllers.
The Branch site contains a member server named Server1 that runs Windows Server 2012
R2.
You need to identify which domain controller authenticated the computer account of
Server1.
What should you do?
A. Verify the value of the %LOGONSERVER% environment variable.

B. Run nltest /sc_query.

C. Verify the value of the %SESSIONNAME% environment variable.
D. Run nltest /dsgetsite.
Answer: A
Explanation:
A. %LOGONSERVER% is the domain controller that authenticated the current user.

B. Reports on the state of the secure channel the last time that you used it. (The secure
channel is the one that the NetLogon service established.)
This parameter lists the name of the domain controller that you queried on the secure
channel, also.
D. Returns the name of the site in which the domain controller resides.
You have a file server named Server1 that runs a Server Core Installation of Windows
Server 2012 R2.
You need to ensure that users can access previous versions of files that are shared on
Server1 by using the Previous Versions tab.
A. Diskpart
B. Wbadmin
C. Vssadmin
D. Storrept
Answer: C
Explanation:

A. Enables you to back up and restore your operating system, volumes, files, folders, and
applications from a command prompt.
B. DiskPart is a text-mode command interpreter that enables you to manage objects (disks,
partitions, volumes, or virtual hard disks) by using scripts or direct input from a command
prompt.
C. The storrept command is installed with File Server Resource Manager and includes
subcommands for creating and managing storage reports and storage report tasks, as well
as for configuring general administrative options for File Server Resource Manager.
D. Displays current volume shadow copy backups and all installed shadow copy writers
and providers. To view the command syntax for any of the commands in the following
table, click the command name.
Your network contain an active directory domain named Contoso.com.
The domain contains two servers named server1 and server2 that run Windows Server
2012 R2.
You create a security template named template1 by using the security template snap-in.
You need to apply template1 to server2.

A. Security Configuration and Analysis

B. Server Manager
C. Security Template
D. Computer management
Answer: A
You have a server named File1 that runs Windows Server 2012 R2.
Fuel has the File Server role service installed.
You plan to back up all shared folders by using Microsoft Online Backup.
You download and install the Microsoft Online Backup Service Agent on File1.
You need to ensure that you use Windows Server Backup to back up data to Microsoft
Online Backup.
What should you do?
A. From Computer Management, add the File1 computer account to the Backup Operators
group.
B. From Windows Server Backup, run the Register Server Wizard.
C. From a command prompt, run wbadmin.exe enable backup.
D. From the Services console, modify the Log On settings of the Microsoft Online Backup
Service Agent.
Answer: B
Explanation:
A. Enables you to back up and restore your operating system, volumes, files, folders, and
applications from a command prompt.
B. To register a server for use with Windows Azure Backup you must run the register
server wizard

All servers run Windows Server 2012 R2. The domain contains a server named Server1.
You open Review Options in the Active Directory Domain Services Configuration Wizard,
and then you click View script.
You need to ensure that you can use the script to promote Server1 to a domain controller.
Which file extension should you use to save the script?
A. .xml
B. .ps1
C. .bat
D. .cmd
Answer: B
Explanation:
The View Script button is used to view the corresponding PowerShell script The
PowerShell script extension is .ps1.
The Answer could logically be either a .cmd file or a .bat file.
According to http://www.fileinfo.com/:
PAL - Settings file created by Corel Painter or Palette of colors used by Dr. Halo bitmap
images
BAT - DOS batch file used to execute commands with the Windows Command Prompt
(cmd.exe); contains aseries of line commands that typically might be entered at the DOS
command prompt; most commonly used tostart programs and run maintenance utilities
within Windows.
XML - XML (Extensible Markup Language) data file that uses tags to define objects and
object attributes;formatted much like an .HTML document, but uses custom tags to define
objects and the data within eachobject; can be thought of as a text-based database.
CMD - Batch file that contains a series of commands executed in order; introduced with
Windows NT, but canbe run by DOS or Windows NT systems; similar to a .BAT file, but is
run by CMD.EXE instead of COMMAND.COM.

You have configured a forest trust relationship between the Adatum forest and the Contoso
forest.
You want to ensure that users from the Contoso forest can authenticate only when needing
to access resources in the Adatum forest using the username@secure.contoso.com UPN
rather than any other UPN that is available for them.
Which of the following should you use to accomplish this goal?
A. SID filtering
B. Name suffix routing

C. Shortcut trust
D. External trust
Answer: B
You are employee as a network administrator at abc.com.
All servers on the abc.com network have Windows Server 2012 R2 installed and all
workstations have windows 8 enterprise installed.
ABC.com has established a remote Active directory site that only host workstations.
The Computer accounts for these workstations have been placed in an organizational unit
(OU),named ABCADRemote, which has a group policy object(GPO) associated with it.
You are in the process of configuration Branchcahce for the remote Active directory site.
You have Already turned Branchcache on.
Which of the following actions should you take next_?
A. You Should consider having the set Branchcache HostedServer Cache mode setting
configured
B. You Should consider having the set Branchcache Hostedclient Cache mode settting
configured
C. You Should consider having the set Branchcache distributed cache mode setting
configured
D. You should consider having the set BranchCache disabled cache mode settings
configured
Answer: C
Your organization is deploying a second Active Directory forest because a substantial

number of users need to access a resource that requires significant changes to the Active
Directory schema, which are not compatible with your current forest's schema.

You want users in your forest to be able to access any resource in any domain in the new
forest.
Which of the following should you do to accomplish this goal?
A. Configure a forest trust.

B. Configure an external trust.
Answer: A
All user accounts reside in an organizational unit (OU) named OU1.
You create a Group Policy object (GPO) named GPO1.
You link GPO1 to OU1.
You configure the Group Policy preference of GPO1 to add a shortcut named Link1 to the
desktop of each user.
You discover that when a user deletes Link1, the shortcut is removed permanently from the
desktop.
You need to ensure that if a user deletes Link1, the shortcut is added to the desktop again.
What should you do?
A. Modify the Link1 shortcut preference of GPO1

B. Enable loopback processing in GPO1.
C. Enforce GPO1.
D. Modify the Security Filtering settings of GPO1.
Answer: A

The functional level of the forest is Windows Server 2003.
The contoso.com domain contains domain controllers that run either Windows Server 2008
or Windows Server 2008 R2.
The functional level of the domain is Windows Server 2008.
The fabrikam.com domain contains domain controllers that run either Windows Server
2003 or Windows Server 2008.
The functional level of the domain is Windows Server 2003.
The contoso.com domain contains a member server named Server1 that runs Windows
Server 2012 R2.
You install the Active Directory Domain Services server role on Server1.
You need to add Server1 as a new domain controller in the contoso.com domain.
What should you do?
A. Run the Active Directory Domain Services Configuration Wizard.

B. Run adprep.exe /domainprep, and then run dcpromo.exe.
C. Raise the functional level of the forest, and then run dcprorno.exe.
D. Modify the Computer Name/Domain Changes properties.
Answer: A
Explanation:
Windows Server 2012 R2 requires a Windows Server 2003 forest functional level.
That is, before you can add a domain controller that runs Windows Server 2012 R2 to an
existing Active Directory forest, the forest functional level must be Windows Server 2003 or
higher.
http://blogs.technet.com/b/askpfeplat/archive/2012/09/03/introducing-the-first-
windowsserver-2012-domaincontroller.aspx


Contoso.com has a single Active Directory domain named contoso.com.
You are preparing to install a third-party application on a contoso.com server, named

SERVER1.
You find that the application is unable to install completely due to its driver not being
digitally signed.
You want to make sure that the application can be installed succesfully.
Which of the following actions should you take_?
A. You should consider downloading a signed driver

B. You should consider having SERVER1 is restored to an earlier date
C. You should consider making use of the Disable Driver Signature Enforcement option
from the Advanced Boot Option.
D. You should consider restarting SERVER1 in safe Mode
Answer: C
Explanation:
A. The 3rd Party installation would need to be repackaged with a signed driver.
B. The restore to an older date would only work if the earlier date had Driver Sig
Enforcement disabled.
C. Disable Driver Signature Enforcement from Advanced Boot Options allows the OS to
load without the signed driver requirements
D. Safe Mode will not allow the unsigned driver to be installed, you need to select Disable
Driver Signature Enforcement to not required signed drivers
http://windows.microsoft.com/en-us/windows-vista/advanced-startup-options-includingsafe-
mode


The forest contains a member server named Server1.
Server1 has an IP address of 172.16.10.66.
The forest has the following Active Directory subnet configuration.
Use the drop down menus to select the answer choice that complete each statement.
Answer Area
Answer:

Explanation:
A. When you promote Server1 to a domain controller, the server object is assigned to the
following site: Site1
When you start on a member server with the IP address 172.16.10.116 an Active Directory
lookup, attempting to connect to DC1 produce.
B. When you promote Server1 to a domain controller, the server object is assigned to the
C. When you promote Server1 to a domain controller, the server object is assigned to the
following location: Site3
lookup, attempting to connect with DC3 produce
D. When you promote Server1 to a domain controller, the server object is assigned to the
following location: site4
E. When you promote Server1 to a domain controller, the server object is assigned to the
lookup, attempting to connect with DC3 produce.
F. When you promote Server1 to a domain controller, the server object is assigned to the
S1 - 172.16.10.66/26, /26 = 63 IP address, Site 2 is located in this subnet. You be

automatically redirected on DC2 on your IP addressing.

A. DC1 120 DC3 60
Answer: A

A. The Set-NlbCluster cmdlet

B. The nlb.exe suspend command
C. The nlb.exe stop command
D. The Suspend-NlbClusterNode cmdlet
Answer: D
Explanation:
You work as an administrator at contoso.com. Contoso.com network consists of a single

domain named contoso.com.
Contoso.com has a server,named SERVER1,which has the AD DS, DHCP and DNS
server roles installed.
Contoso.com also has a server named SERVER2,which has the DHCP and Remote
Access Server Role installed.
You have configured a server,which has the File and Storage Services Server role
installed.to automatically acquire an IP address.
The server is named Server3.

You then create a filter on SERVER1.
Which of the following is a reason for this configuration?
A. To make sure that SERVER1 issues Server3 an IP address.

B. To make sure that SERVER1 does not issue SERVER3 an IP address
C. To make sure that SERVER3 acquires a constant IP address from SERVER2 only.
D. To make sure that SERVER3 is configured with a static IP address
Answer: B
Explanation:
A. MAC Address Filtering allows the ability to Deny a MAC addresses to be issued a IP
from the DHCP server
B. Deny Filter would not allow SERVER1 to issue SERVER3 an IP.
C. A DHCP Reservation on SERVER2 would be needed for a constant IP.
D. QUESTION: states it is configure to automatically acquire IP
http://technet.microsoft.com/en-us/library/cc779507(v=ws.10).aspx.
http://technet.microsoft.com/en-us/library/ee941155(v=ws.10).aspx.

You have a server named Server 1 that runs Windows Server 2012 R2.
Server1 has five network adapters. Three of the network adapters are connected to a
network named LAN1.
The two other network adapters are connected to a network named LAN2.
You create a network adapter team named Team1 from two of the adapters connected to
LAN1.
You create a network adapter team named Team2 from the two adapters connected to
LAN2.
A company policy states that all server IP addresses must be assigned by using a reserved
address in DHCP.
You need to identify how many DHCP reservations you must create for Server1.
How many reservations should you identify?
A. 2
B. 3
C. 5
D. 7
Answer: B
Explanation:
3 adapter on LAN 1
2 adapters on LAN 2
2 adapters on LAN 1 used in a team, so that's 3 - 2 leaving 1.
2 adapaters on LAN 2 used in a team, so that's 2 - 2 leaving 0.
1 team on LAN 1 + 1 team on LAN 2 + remaining adapter on LAN 1 = 3.
Your network contains two servers named Server1 and Server2.

Both servers run Windows Server 2012 R2, On Server1, you create a Data Collector Set
(DCS) named Data1.
You need to export Data1 to Server2.
A. Right-click Data1 and click Data Manager...

B. Right-click Data1 and click Save template...
C. Right-click Data1 and click Properties.
D. Right-click Data1 and click Export list...
Answer: B
Explanation:
2012 R2.
Server1 has the DHCP Server server role installed. Server2 has the Hyper-V server role
installed.
Server2 has an IP address of 192.168.10.50. Server1 has a scope named Scope1 for the
192.168.10.0/24 network.
You plan to deploy 20 virtual machines on Server2 that will be connected to the external
network.
The MAC addresses for the virtual machines will begin with 00-15-SD-83-03.
You need to configure Server1 to offer the virtual machines IP addresses from
192.168.10.200 to 192.168.10.21g.
Physical computers on the network must be offered IP addresses outside this range.

What should you do from the DHCP console?
A. Create reservations.
B. Create a policy.
C. Delete Scope1 and create two new scopes.
D. Configure Allow filters and Deny filters.
Answer: B
Explanation:
A. With client reservations, it is possible to reserve a specific IP address for permanent use
by a DHCP client.
A new feature in Windows Server 2012 R2 called policy based assignment allows for even
greater flexibility.
B. Policy based assignment allows the policy to be scoped to a MAC address and IP range
C.
D. A DHCP server offers its services to the DHCP clients based on the availability of MAC
address filtering.
Once the Allow filter is set, all DHCP operations are based on the access controls
(allow/deny).
http://blogs.technet.com/b/teamdhcp/archive/2012/08/22/granular-dhcp-
serveradministration-using-dhcppolicies-in-windows-server-2012.aspx
You are configuring secondary links for the connections between the Melbourne and
Sydney sites and between the Melbourne and Adelaide sites.
The existing Melbourne to Sydney site link is called MEL-SYD-ALPHA and has a site link
cost of 100.
The existing Melbourne to Adelaide site link is called MEL-ADL-ALPHA and has a site link
cost of 100.
You want the secondary site links to be used only when the existing site links are
unavailable.

The new site links are named MEL-SYD-BETA and MEL-ADL-BETA.
Which of the following steps should you take to accomplish this goal?
A. Configure the site link cost for the MEL-SYD-BETA with a value of 110.
B. Configure the site link cost for the MEL-ADL-BETA with a value of 110.
C. Configure the site link cost for the MEL-ADL-BETA with a value of 90.
D. Configure the site link cost for the MEL-SYD-BETA with a value of 90.
Answer: A,B
The domain contains a member server named Server1.
Server1 runs Windows Server 2012 R2 and has the Hyper-V server role installed. Server1
hosts 10 virtual machines.
A virtual machine named VM1 runs Windows Server 2012 R2 and hosts a processor-
intensive Application named App1.
Users report that App1 responds more slowly than expected.
You need to monitor the processor usage on VM1 to identify whether changes must be
made to the hardware settings of VM1.
Which performance object should you monitor on Server1?
A. Hyper-V Hypervisor Logical Processor

B. Processor
C. Hyper-V Hypervisor Root Virtual Processor
D. Process
E. Hyper-V Hypervisor Virtual Processor
Answer: E

The domain contains two domain controllers named DC1 and DC2 that run Windows
Server 2012 R2.
DC1 and DC2 fail to replicate Active Directory information.
You confirm that DC1 and DC2 have network connectivity.
The NTDS Settings of DC2 are configured as shown in the NTDS Settings exhibit. (Click tie
Exhibit button.)
DNS is configured as shown in the DNS exhibit. (Click the Exhibit button.)

You need to ensure that DC1 and DC2 can replicate immediately.
Choose two.)
A. From DC1, restart the Netlogon service

B. From DC2, run nltest.exe /sync
C. From DC1, run ipconfig /flushdns
D. From DC1, run repadmin /syncall
E. From DC2, run ipconfig /registerdns
F. From DC2, restart the Netlogon service
Answer: D,F
Explanation:
The figure of the DNS configuration can be seen that the alias (CNAME) entry that
identifies DC2 as a domain controller of the domain certbase.de missing. While ipconfig /
registerdns ensures that the IP address of a DNS client in DNS is registered, is restarting
the Netlogon service on a domain controller ensures that all entries for the service location
(Service Resource Records, SRVs) be the domain controller registered or renewed. After
the service location records for DC2 completed or modified, can on one of the two domain
controller with a call from repadmin / syncall immediate replication of the Active Directory
database are introduced.

The domain contains servers named Server1 and Server2 that run Windows Server 2012
R2.
Server1 has the IP Address Management (IPAM) Server feature installed.
You install the IPAM client on Server2.
You open Server Manager on Server2 as shown in the exhibit. (Click the Exhibit button.)
You need to manage IPAM from Server2.
A. On Server1, add the Server2 computer account to the IPAM MSM Administrators group
B. On Server2, open Computer Management and connect to Server1.
C. On Server2, add Server1 to Server Manager.
D. On Server1, add the Server2 computer account to the IPAM ASM Administrators group.
Answer: C

Which of the following authentication types must you enable to support Workplace Join?
A. Forms
B. Windows
C. Certificate
D. Device
Answer: D
Which of the following revocation statuses can you change to alter the status of a certificate
from revoked to valid?
A. Certificate Hold
B. CA Compromise
C. Key Compromise
D. Change Of Affiliation
Answer: A
Domain controllers run either Windows Server 2008, Windows Server 2008 R2, or
You have a Password Settings object (PSOs) named PSO1.
You need to view the settings of PSO1.
A. Get-ADDomainControllerPasswordReplicationPolicy
B. Get-ADDefaultDomainPasswordPolicy
C. Server Manager
D. Get-ADFineGrainedPasswordPolicy

Answer: D
Explanation:
A. Gets the members of the allowed list or denied list of a read-only domain controller's
password replication policy
B. Gets the default password policy for an Active Directory domain.
C. PSO's managed from AD AC or Powershell Only
D. Gets one or more Active Directory fine grained password policies.
You are considering adding a child domain to the dandenong.melbourne.victoria.

australia.contoso.com domain tree.
Which of the following represents the maximum length in characters, including periods, of
an Active Directory domain name?
A. 64 characters
B. 128 characters
C. 256 characters
D. 512 characters
Answer: A
You manage an environment that has many servers.
The servers run Windows Server 2012 R2 and use iSCSI storage.
Administrators report that it is difficult to locate available iSCSI resources on the network.
You need to ensure that the administrators can locate iSCSI resources on the network by
using a central repository.

Which feature should you deploy?
A. The iSCSI Target Server role service

B. The iSNS Server service feature
C. The Windows Standards-Based Storage Management feature
D. The iSCSI Target Storage Provider feature
Answer: B
Explanation:
A. iSNS facilitates automated discovery, management, and configuration of iSCSI and

Fibre Channel devices (using iFCP gateways) on a TCP/IP network.
C. Windows Server 2012 R2 enables storage management that is comprehensive and fully
scriptable, and administrators can manage it remotely
D. iSCSI Target Server enables you to network boot multiple computers from a single
operating system image that is stored in a centralized location
http://technet.microsoft.com/en-us/library/dn305893.aspx
Which permission should you assign on a CA to a group of users that you want to allow to
alter the list of recovery agents?
A. Read
B. Issue And Manage Certificates
C. Manage CA
D. Request Certificates.
Answer: C
You have an enterprise certification authority (CA) named CA1.

You configure a recovery agent for CA1.
On CA1, you create a new certificate template named CertTemplate1, and then you
configure CA1 to allow certificates to be requested based on CertTemplate1.
You need to ensure that new certificates issued based on CertTemplate1 can be
recovered.
What should you do?
A. the Certification Authority console, modify the enrollment agents of CA1.

B. From the Certification Authority console, modify the enrollment managers of CA1.
C. From the Certification Templates console, modify the Issuance Requirements setting of
CertTemplate1.
D. From the Certification Templates console, modify the Request Handling setting of
CertTemplate1.
Answer: C
The forest contains two child domains and six domain controllers.
You need to replicate users who haven't authenticated against any domain controllers for
the last 7 days.

A. Set-ADSite
C. Set-ADDomain
E. Set-ADGroup
F. Set-ADForest
G. Netdom
Answer: C
Explanation:
You have a server named Server1 that has the Active Directory Certificate Services server
role installed.
Server1 uses a hardware security module (HSM) to protect the private key of Server1.
You need to ensure that the Active Directory Certificate Services (AD CS) database, log
files, and private key are backed up.
You perform regular backups of the HSM module by using a backup utility provided by the
HSM manufacturer.
What else should you do?
A. Run the certutil.exe command and specify the -backupkey parameter.

B. Run the certutil.exe command and specify the -backupdb parameter.
C. Run the certutil.exe command and specify the -backup parameter.
D. Run the certutil.exe command and specify the -dump parameter.
Answer: B
Explanation:
A. Backup the Active Directory Certificate Services certificate and private key
B. Backup the Active Directory Certificate Services database
C. Backup Active Directory Certificate Services
D. Dump configuration information or files

http://technet.microsoft.com/en-us/library/cc732443.aspx#BKMK_backupKey
http://technet.microsoft.com/en-us/library/cc732443.aspx#BKMK_backupDB
http://technet.microsoft.com/en-us/library/cc732443.aspx#BKMK_backup
http://technet.microsoft.com/library/cc732443.aspx#BKMK_dump
controllers run Windows Server 2012 R2. The domain contains two domain controllers. The
domain controllers are configured as shown in the following table.
The Branch site contains a perimeter network.
For security reasons, client computers in the perimeter network can communicate with
client computers in the Branch site only. You plan to deploy a new RODC to the perimeter
network in the Branch site. You need to ensure that the new RODC will be able to replicate
from DC10. What should you do first on DC10?
A. Enable the Bridge all site links setting.

B. Run the Active Directory Domain Services Configuration Wizard.
C. Create an Active Directory site link bridge.
D. Create an Active Directory site.
Answer: C
Explanation:
A. Site link transitivity is controlled by the Bridge all site links option on the properties pages

of transport folders (such as IP or SMTP) in the Active Directory Sites and Services snapin.
Site link transitivity is enabled by default.
B.
C.
If you cannot place a writable Windows Server 2008 domain controller in the nearest site to
the RODC, RODC replication depends on a site link bridge between the site links that
contain the site of the RODC and the site of the writable Windows Server 2008 domain
controller.
D.
AD Site not readed for RODC
http://technet.microsoft.com/en-us/library/cc778718(v=WS.10).aspx
You are currently running a training exercise for junior network administrators.
You are discussing the endpoint types supported by Active Directory Federation
Services(AD FS).
Which of the following are supported types?(Choose all that apply)
A. SAML WebSSO
B. Anonymous
C. WS-Federation Passive
D. Client Certicate
E. WS-Trust
Answer: A,C,E
Explanation:

http://technet.microsoft.com/en-us/library/adfs2-help-endpoints(v=ws.10).aspx

B. Certificate Templates
C. The Security Configuration Wizard
Answer: A
Windows Deployment Services server role installed.
You back up Server1 each day by using Windows Server Backup. The disk array on
Server1 fails.

You replace the disk array.
You need to restore Server1 as quickly as possible. What should you do?
A. Start Server1 from the Windows Server 2012 R2 installation media.

B. Start Server1and press F8.
C. Start Server1 and press Shift+F8.
D. Start Server1 by using the PXE.
Answer: A
Explanation:
A. Recovery of the OS uses the Windows Setup Disc

http://www.windowsnetworking.com/articles_tutorials/Restoring-Windows-Server-
BareMetal.html
Network Access Protection (NAP) is deployed to the domain.
You need to create NAP event trace log files on a client computer.
A. Logman
B. Tracert
C. Register-EngineEvent
D. Register-ObjectEvent
Answer: A

controllers.
client computers in the Branch site only.
You plan to deploy a new RODC to the perimeter network in the Branch site.
You need to ensure that the new RODC will be able to replicate from DC10.
What should you do first on DC10?
A. Run the Add-ADDSReadOnlyDomainControllerAccount cmdlet.

B. Create an Active Directory site.
C. Run the Active Directory Domain Services Configuration Wizard.
D. Create an Active Directory subnet.
Answer: A
Explanation:
Add-ADDSReadOnlyDomainControllerAccount Creates a read-only domain controller

(RODC) account that can be used to install an RODC in Active Directory.
Note:
* Notes
Once you have added the RODC account, you can add an RODC to a server computer by
using the Install-ADDSDomainController cmdlet with the -ReadOnlyReplica switch
parameter.
* Example
Adds a new read-only domain controller (RODC) account to the corp.contoso.com domain
using the North America site as the source site for the replication source domain controller.
C:\PS>Add-ADDSReadOnlyDomainControllerAccount -DomainControllerAccountName

RODC1 - DomainName corp.contoso.com -SiteName NorthAmerica Incorrect:
Not B: There already is a branch site.
Reference: Add-ADDSReadOnlyDomainControllerAccount
You are employed as a senior network administrator at contoso.com.
contoso.com has an active directory domain named contoso.com.
You are currently running at training exercise for junior network administrators.
You are discussing the DNSSEC NRPT rule properly.
Which of the following describes the purpose of this rule property?
A. It is used to indicate the namespace to which the policy applies.

B. It is used to indicate whether the DNS client should check for DNSSEC validation in the
response.
C. It is used to indicate DNSSEC must be used to protect DNS traffic for queries belonging
to the namespace.
D. It is used to whether DNS connections over DNSSEC will use encryption
Answer: B
Explanation:
A. NRPT is a table that contains rules you can configure to specify DNS settings or special
behavior for names or namespaces
B. The DNS client's behavior is controlled by a policy(GPO) that determines whether the
client should check for validation results for names within a given namespace.
D. DNS does not provide any mechanism for the encryption of DNS queries and
responses.

You need to ensure that clients will check at least every 30 minutes as to whether a
certificate has been revoked. Which of the following should you configure to accomplish
this goal?
A. Key recovery agent

B. CRL publication interval
C. Delta CRL publication interval
D. Certificate templates.
Answer: C
All domain controllers run Windows Server 2012. One of the domain controllers is named
DC1.
The DNS zone for the contoso.com zone is Active Directory-integrated and has the default
settings.
A server named Server1 is a DNS server that runs a UNIX-based operating system.
You plan to use Server1 as a secondary DNS server for the contoso.com zone.
You need to ensure that Server1 can host a secondary copy of the contoso.com zone.
What should you do?

A. From Windows PowerShell, run the Set-DnsServerForwarder cmdlet and specify the
contoso.com zone as a target.
B. From Windows PowerShell, run the Set-DnsServerSetting cmdlet and specify DC1 as a
target.
C. From Windows PowerShell, run the Set-DnsServerPrimaryZone cmdlet and specify the
contoso.com zone as a target.
D. From DNS Manager, modify the Advanced settings of DC1.
Answer: C
Explanation:
C. The Set-DnsServerSecondaryZone cmdlet changes settings for an existing secondary

zone on a Domain Name System (DNS) server.
http://technet.microsoft.com/en-us/library/jj649920(v=wps.620).aspx
You are emloyed as a network administrator at ABC.com.
Abc.com has an Active directory domain named ABC.com all servers on the ABC.com
network have Windows Server 2012 R2.
The ABC.com domain has two Active Directory sites configured.
You want to make use of change notification configure replication between these Active
Directory Sites.
You have opened DEFAULTIPSITELINK Properties to configure the necessary attribute.
Which of the following is the attribute that needs to be configured?
A. The revisiobn attribute

B. The Options attribute
C. The schedule attribute
D. The proxyAddresses attribute
Answer: B

ABC.com has an Active Directory domain named ABC.com all servers on the ABC.com
network have Windows Server 2012 R2 installed.
ABC.com has a server named SERVER1 which has been configured to run the HYPER-V
server role Server1 is configures to host multiple vitrual mahines.
When ABC.com acquires a server with a better hardware configuration to SERVER1 you
are instructed to relocate the vitrual machines to the new server with as little interruptions
as possible. Which of the following actions should you take ? (Choose all that apply.)
A. You should consider exporting the vitrual machines from Server1.

B. You should consider running a snapshot backup of the SERVER1.
C. You should consider importing the vitrual machine from Server1 to the new server.
D. You shoul consider restoring the snapshot backup on the hard drives of the new server.
Answer: A,C
2012 R2.
Both servers have the Hyper-V server role installed.
The servers have the hardware configurations shown in the following table.
Server1 hosts five virtual machines that run Windows Server 2012 R2.

You need to move the virtual machines from Server1 to Server2.
The solution must minimize downtime.
What should you do for each virtual machine?
A. Export the virtual machines from Server1 and import the virtual machines to Server2.
B. Perform a live migration.
C. Perform a quick migration.
D. Perform a storage migration.
Answer: A
Explanation:
None of these migration options will work between different Processors ( AMD/Intel). The
only option remaining is to export and re-import the VMs
You are employed as a network administrator at consoto.com.
Contoso.com has in an Active Directory domain named contoso.com.
All Servers on the contoso.com network have Windows Server 2012 R2 installed.
A contoso.com server ,named Server1,hosts the Active Directory Certificate Services

Server role and utilizes a hardware security module(HSM) to safeguard its private key.
You have beed instructed to backup the Active Directory Certificate Services (ADCS)
database,log files,and private key regularly.
You should not use a utility supplied by the hardware security module (HSM) creator.
A. You should consider scheduling an incremental backup

B. You Should consider making use of the certutil.exe command.
C. You should consider schedulling a differential backup
D. You should consider schedulling a copy backup
Answer: B

Explanation:
A. ADCS needs to be backup up using certutil

B. -Backup, -backupdb, -backupKey: You can use Certutil.exe to dump and display
certification authority (CA) configuration information, configure Certificate Services, backup
and restore CA components, and verify certificates, key pairs, and certificate chains.
C. ADCS needs to be backup up using certutil
D. ADCS needs to be backup up using certutil
http://technet.microsoft.com/library/cc732443.aspx
http://technet.microsoft.com/en-us/library/cc732443.aspx#BKMK_backup
http://technet.microsoft.com/en-us/library/cc732443.aspx#BKMK_backupDB
http://technet.microsoft.com/en-us/library/cc732443.aspx#BKMK_backupKey
http://blogs.technet.com/b/pki/archive/2010/04/20/disaster-recovery-procedures-for-
theactive-directorycertificate-services-adcs.aspx
You have a subscription to Windows Azure.
You need to register the Microsoft Azure Backup Agent on Server1.

A. Install the Microsoft System Center 2012 Data Protection Manager (DPM) agent.
B. Create a backup vault.
C. Create Site Recovery vault.
D. Configure a passphrase for the Azure Backup Agent.
Answer: B
Explanation:
To back up files and data from your Windows Server to Azure, you must create a backup
vault in the geographic region where you want to store the data.
The main steps include:
* the creation of the vault you will use to store backups

* downloading a vault credential
* the installation of a backup agent
https://azure.microsoft.com/sv-se/documentation/articles/backup-configure-vault/
You have a standard primary zone named adatum.com.
You need to provide a user named User1 the ability to modify records in the zone.
users must be prevented from modifying records in the zone.
A. Run the Zone Signing Wizard for the zone.

B. From the properties of the zone, change the zone type.
C. Run the new Delegation Wizard for the zone.
D. From the properties of the zone, modify the Start Of Authority (SOA) record.
Answer: C

The domain contains a server named Server1. Server1 runs Windows Server 2012 R2.
You create a group Managed Service Account named gService1.
You need to configure a service named Service1 to run as the gService1 account.
How should you configure Service1?
A. From a command prompt, run sc.exe and specify the theconfig parameter.
B. From the Services console, configure the General settings.
C. From Windows PowerShell, run Set-Service and specify the -StartupType parameter.
D. From the Services console, configure the Log On settings.
Answer: A
Explanation:
Executing the sc.exe command with the config parameter will modify service configuration.
You have a file server named FS1 that runs Windows Server 8.
Data Deduplication is enabled on FS1.
You need to configure Data Deduplication to run at a normal priority from 20:00 to 06:00
daily.
A. File and Storage Services in Server Manager

B. The Data Deduplication process in Task Manager
C. Disk Management in Computer Management
D. The properties of drive C
Answer: A
Explanation:

In Windows Server 2012 R2, deduplication can be enabled locally or remotely by using
Windows PowerShell or Server Manager.
You perform a Server Core Installation of Windows Server 2012 R2 on a server named
Server1.
You need to add a graphical user interface (GUI) to Server1.
A. the dism.exe command

B. the ocsetup.exe command
C. the setup.exe command
D. the Install-Module cmdlet

Answer: A
Explanation:
The DISM command is called by the Add-WindowsFeature command. Here is the systax
for DISM:
Dism /online /enable-feature /featurename:ServerCore-FullServer /featurename:ServerGui-
Shell /featurename:Server-Gui-Mgmt
An organizational unit (OU) named OU1 contains 200 client computers that run Windows 8
Enterprise.
A Group Policy object (GPO) named GPO1 is linked to OU1.
You make a change to GPO1.
You need to force all of the computers in OU1 to refresh their Group Policy settings
immediately.
The solution must minimize administrative effort.

A. The Set-AdComputercmdlet
B. Group Policy Object Editor
C. Active Directory Users and Computers
D. Group Policy Management Console (GPMC)
Answer: D
Explanation:
In the previous versions of Windows, this was accomplished by having the user run
GPUpdate.exe on their computer. Starting with Windows Server?2012 and Windows?8,
you can now remotely refresh Group Policy settings for all computers in an OU from one
central location through the Group Policy Management Console (GPMC). Or you can use
the Invoke-GPUpdate cmdlet to refresh Group Policy for a set of computers, not limited to
the OU structure, for example, if the computers are located in the default computers
container.
Note: Group Policy Management Console (GPMC) is a scriptable Microsoft Management
Console (MMC) snap-in, providing a single administrative tool for managing Group Policy
across the enterprise. GPMC is the standard tool for managing Group Policy.
Incorrect:
Not B: Secedit configures and analyzes system security by comparing your current
configuration to at least one template.
Reference: Force a Remote Group Policy Refresh (GPUpdate)
controllers.

to DC2.
replication.
A. Ntdsutil
B. Repadmin
C. Dnslint
Answer: B
Explanation:
If you see question about AD Replication, First preference is AD sites and services, then
Repadmin and then DNSLINT.
You have a DHCP server named Server1. Server1 has one network adapter.
Server1 is located on a subnet named Subnet1. Server1 has scope named Scope1.
Scope1 contains IP addresses for the 192.168.1.0/24 network.

Your company is migrating the IP addresses on Subnet1 to use a network ID of
10.10.0.0/16.
On Server11 you create a scope named Scope2. Scope2 contains IP addresses for the
10.10.0.0/16 network.
You need to ensure that clients on Subnet1 can receive IP addresses from either scope.
What should you create on Server1?
A. A multicast scope
B. A scope
C. A superscope
D. A split-scope
Answer: C
Explanation:
A. Multicasting is the sending of network traffic to a group of endpointsdestination hosts.

Only those members in the group of endpoints hosts that are listening for the multicast
traffic (the multicast group) process the multicast traffic
B. A scope is an administrative grouping of IP addresses for computers on a subnet that
use the Dynamic Host Configuration Protocol (DHCP) service. The administrator first
creates a scope for each physical subnet and then uses the scope to define the parameters
used by clients.
C. A superscope is an administrative feature of Dynamic Host Configuration Protocol
(DHCP) servers running Windows Server 2008 that you can create and manage by using
the DHCP Microsoft Management Console (MMC) snap-in. By using a superscope, you
can group multiple scopes as a single administrative entity.
D.
http://technet.microsoft.com/en- us/library/dd759218.aspx

The domain contains four servers.
The servers are configured as shown in the following table.
You plan to deploy an enterprise certification authority (CA) on a server named Server5.
Server5 will be used to issue certificates to domain-joined computers and workgroup

computers.
You need to identify which server you must use as the certificate revocation list (CRL)
distribution point for Server5.
Which server should you identify?
A. Server 3
B. Server 2
C. Server 4
D. Server 1
Answer: A
Explanation:
A. We cannot use AD DS because workgroup computers must access CRL distribution

point
B. We cannot use File Share because workgroup computers must access CRL distribution
point
C. Public facing web server can be used
D. AD DS, Web & File Share only
The root domain of the Adatum forest is Adatum.local. The contoso.com domain tree is part
of the Adatum forest.
Don has an account in the australia.contoso.com domain and is signing on to a computer

that is a member of the computers.adatum.local domain.
No additional UPNs have been configured.
Which UPN suffix will Don use to sign on to this computer?
A. @adatum.com
B. @adatum.local
C. @computers.adatum.local
D. @australia.contoso.com
Answer: B

All servers including domain controllers on the ABC.com network have Windows Server
2012 R2 installed.
ABC.com has its headquarters in London and an office in paris.
The London Office has a domain controller named server1,which is configured as a

writeable domain controller that servers as a Global catalog server and a DNS server.
Server1 is configured to host an Active Directory-integrated zone for ABC.com.
The Paris office has a Read-Only domain controller (RODC) named server2 which servers
as a Global catalog server.
After installing the DNS server role on server2, you want to make sure that the ABC.com
zone is replicated to server2 via active directory replication.
A. You should consider making use of Active Directory Sites and Services to Configured
replication
B. You should consider making use of replmon.exe to configure replication.
C. You should consider making use of repadmin.exe to configure replication
D. You should consider making use of Active Directory Schema To configure replication
Answer: A
Contoso.com has an active directory domain named contoso.com.
Contoso.com has a server named server1,which is configured as a file server.
You have been instructed to enabled a feature that discovers and eradicates duplication
within data without compromising its reliability or accuracy.
A. You should consider having the Data Deduplication feature enabled.

B. You should consider having the Storage Spaces feature enabled.

C. You should consider having the Storage Management feature enabled.
D. You should consider having the folder redirection feature enabled.
Answer: A
Explanation:
A. Data deduplication involves finding and removing duplication within data without
compromising its fidelity or integrity
B. Storage Spaces in Windows Server 2012 R2 and Windows 8 enables cost-effective,
optimally used, highly available, scalable, and flexible storage solutions for business-critical
(virtual or physical) deployments.
C. Windows Server 2012 R2 enables storage management that is comprehensive and fully
scriptable, and administrators can manage it remotely.
D. older Redirection lets administrators redirect the path of a folder to a new location.
http://blogs.technet.com/b/filecab/archive/2012/05/21/introduction-to-data-deduplication-
inwindows-server-2012.aspx

ABC.com has a server named server1 which is configured as a DHCP server.
You have created a superscope on server1.
Which of the following describes the reason for creating a superscope?(choose all that
apply.)
A. To support DHCP clients on a single physical network segment where multiple logical ip
networks are used.
B. To allow for the sending of network traffic to a group of endpoints destination hosts.
C. To support remote DHCP clients located on the far side of DHCP and BOOTP relay
agents.
D. To provide fault tolerance
Answer: A,C
Your company has a main office and a branch office. An Active Directory site exists for
each office. The network contains an Active Directory forest named contoso.com.
The contoso.com domain contains three member servers named Server1, Server2, and
Server3. All servers run Windows Server 2012 R2.
n the main office, you configure Server1 as a file server that uses BranchCache. In the
branch office, you configure Server2 and Server3 as BranchCache hosted cache servers.
You are creating a Group Policy for the branch office site. In the branch office, you need to
configure the client computers that run Windows B to use Server2 and Server3 as
BranchCache.

Answer:
Explanation:

http://blogs.technet.com/b/wsnetdoc/archive/2012/06/01/highlighting-branchcache-hosted-
cache-mode-in-windows-server-2012.aspx
You have a server named DC2 that runs Windows Server 2012 R2. DC2 contains a DNS
zone named adatum.com.
The adatum.com zone is shown in the exhibit. (Click the Exhibit button.)

You need to configure DNS clients to perform DNSSEC validation for the adatum.com DNS
domain.
A. The Network Location settings

B. A Name Resolution Policy
C. The DNS Client settings
D. The Network Connection settings
Answer: B
Explanation:
B. The Name Resolution Policy Table (NRPT) is a table that contains rules you can
configure to specify DNS settings or special behavior for names or namespaces.
The NRPT can be configured using Group Policy or by using the Windows Registry.
C. client component that resolves and caches Domain Name System (DNS) domain
names.
When the DNS Client service receives a request to resolve a DNS name that it does not
contain in its cache, it queries an assigned DNS server for an IP address for the name
D. Network connections make it possible for computers to access resources on the network
and the internet
http://technet.microsoft.com/en-us/library/hh831411.aspx#config_client1

You have a server named Server1 that runs Windows Server 2012 R2 and uses Windows
Server Backup.
You need to identify whether the backups performed on Server1 support bare metal
recovery.
A. Get-OBMachineSetting
B. GetWBVSSBackupOption
C. Get-WBPolicy
D. Get-OBPolicy
Answer: C
Explanation:

Get-OBMachineSetting is for Azure Backup, question asks about Windows Backup 't exist
GetWBVSSBackupOption cmdlet doesn
Get-WBPolicy is for Windows Backup
Get-OBPolicy is for Azure Backup, question asks Windows Backup
https://technet.microsoft.com/en-us/library/Ee706650.aspx
You have a test server named Server1 that is configured to dual-boot between Windows
Server 2008 R2 and Windows Server 2012 R2.
You start Server1 and you discover that the boot entry for Windows Server 2008 R2 no
longer appears on the boot menu.
You start Windows Server 2012 R2 on Server1 and you discover the disk configurations
You need to restore the Windows Server 2008 R2 boot entry on Server1.
What should you do?
A. Run bcdedit.exe and specify the /createstore parameter

B. Run bootrec.exe and specify the /scanos parameter
C. Run bcdboot.exe d:\windows.
D. Run bootrec.exe and specify the /rebuildbcd parameter
Answer: D
Explanation:
A. BCDEdit is a command-line tool for managing BCD stores.

It can be used for a variety of purposes, including creating new stores, modifying existing
stores, adding boot menu options, /Createstore Creates a new empty boot configuration

data store.
The created store is not a system store.
B. Bootrec.exe tool to troubleshoot "Bootmgr Is Missing" issue.
The /ScanOs option scans all disks for installations that are c mpatible with Windows Vista
or Windows 7.
menu does not list.
C.
D. Bootrec.exe tool to troubleshoot "Bootmgr Is Missing" issue. The /ScanOs option scans
all disks for installations that are compatible with Windows Vista or Windows 7.
menu does not list.
http://support.microsoft.com/kb/927392/en-us
Your network contans one active directory domain named contoso.com.
2012 R2.
You perform daily backups of the data on Server1 to microsoft azure.
You need to restore the data from the 1st backup of Server1 to Server2.

A. On Server2, install the azure backup agent.

B. In the domain, add server1 to the backup operators group.
C. From the azure management portal, modify the configuration of the backup vault.
D. On Server2, install the windows server backup feature.
Answer: A
Explanation:
https://azure.microsoft.com/en-us/documentation/articles/backup-azure-restore-windows-
server/#recover-to-an-alternate-machine
The forest functional level is Windows 2000. The contoso.com domain contains domain
controllers that run either Windows Server 2008 or Windows Server 2008 R2.
The domain functional level is Windows Server 2008.
The fabrikam.com domain contains domain controllers that run either Windows 2000
Server or Windows Server 2003.
The domain functional level is Windows 2000 native.
The contoso.com domain contains a member server named Server1 that runs Windows
Server 2012 R2.
You need to add Server1 as a new domain controller in the contoso.com domain.
A. Raise the functional level of the contoso.com domain to Windows Server 2008 R2.
B. Upgrade the domain controllers that run Windows Server 2008 to Windows Server 2008
R2.
C. Raise the functional level of the fabrikam.com domain to Windows Server 2003.
D. Decommission the domain controllers that run Windows 2000.
E. Raise the forest functional level to Windows Server 2003.

Answer: D
Explanation:
D. Server 2003 is the minimum Domain Functional level for any domain in the forest
Windows Server 2012 R2 requires a Windows Server 2003 forest functional level.
That is, before you can add a domain controller that runs Windows Server 2012 R2 to an
existing Active Directory forest, the forest functional level must be Windows Server 2003 or
higher.
The domain contains a file server named Server1 and a domain controller named DC1.
All servers run Windows Server 2012 R2.
A Group Policy object (GPO) named GPO1 is linked to the domain.
Server1 contains a folder named Folder1.
Folder1 is shared as Share1.
You need to ensure that authenticated users can request assistance when they are denied
access to the resources on Server1.

Choose two.)
A. Assign the Read Attributes NTFS permission on Folder1 to the Authenticated Users
group.
B. Install the File Server Resource Manager role service on Server1.
C. Configure the Customize message for Access Denied errors policy setting of GPO1.
D. Enable the Enable access-denied assistance on client for all file types policy setting for
GPO1.
E. Install the File Server Resource Manager role service on DC1.
Answer: B,D
Explanation:
http://technet.microsoft.com/en-us/library/hh831402.aspx#BKMK_1
The domain contains a main office and a branch office. An Active Directory site exists for
each office.
controllers.

to DC2.
replication.
A. Dnslint
B. A DNS Manager
C. Active Directory Users and Computers
D. Dnscmd
Answer: A
Explanation:
Note: If you see question about AD Replication, First preference is AD sites and services,
then Repadmin and then DNSLINT.
You are creating a custom Windows Recovery Environment (Windows RE) image.
You need to ensure that when a server starts from the custom Windows RE image, a drive
is mapped automatically to a network share.
What should you modify in the image?
A. startnet.cmd
B. Xsl-mApp1ngs.xml
C. Win.ini
D. smb.types.ps1xml
Answer: A
Explanation:

The best way to define what to start is using starnet.cmd.
ABC.com has an Active Directory domain named. ABC.com all servers on the ABC.com
network have Windows Server 2012 R2.
You are running a training exercise for junior network administrators.
You are currently discussing DHCP failover architecture.
You have informed the trainees that DHCP servers can be deployed as fail over partners in
either hot standby mode or load sharing mode.
Which of the following is TRUE with regards to hot standby mode? (Choose all that apply)
A. It is when two servers function in a fail over relationship where an active server is
responsible for leasing IP address and configuration data to all clients in a scope or subnet
B. It when two servers in a fail over relationship server IP addresses and options to clients
on a given subnet at the same time
C. It is best suited to deployments where a data center server acts as a standby backup
server to a server at a remote site
D. It is best suited deployments where both servers in a fail over relationship are located at
the same physical site
Answer: A,C

The domain contains two domain controllers named DC1 and DC2.
You install Windows Server 2012 R2 on a new computer named DC3.
You need to manually configure DC3 as a domain controller.
A. winrm.exe
B. Server Manager
C. dcpromo.exe
Answer: B
Explanation:
When you try to DCpromo a Server 2012, you get this message:
You want to enable key archiving on a CA.

You need to issue a certificate from a specific template to the user who will recover private
keys.
Which certificate template will you use as the basis for this certificate?
A. Kerberos authentication
B. Code signing
C. OCSP response signing
D. Key recovery agent
Answer: D
WIndows Server 2012 R2.
cluster as application named App1 that is accessed by using the URL
http://app1.contoso.com. You plan to perform maintenance on Server1.
You need to ensure that all new connection server2. The solution must not disconnect the
existing connection to Server1
A. The Set-NlbClusterNode cmdlet

B. The nlb.exe suspend command
C. The nlb.exe stop command
D. The Suspend-NlbClusterNode cmdlet
Answer: D
Which of the following services would you restart on a domain controller if you wanted to
trigger a reregistration of the domain controller's _ldap and _kerberos SRV records?
A. DNS Server
B. Server

C. Workstation
D. Netlogon
Answer: D
2012 R2.
Server1 has the IP Address Management (IPAM) Server feature installed.
Server2 has the DHCP Server server role installed.
A user named User1 is a member of the IPAM Users group on Server1.
You need to ensure that User1 can use IPAM to modify the DHCP scopes on Server2.
The solution must minimize the number of permissions assigned to User1.
To which group should you add User1?
A. DHCP Administrators on Server2

B. IPAM ASM Administrators on Server1
C. IPAMUG in Active Directory
D. IPAM MSM Administrators on Server1
Answer: A
Explanation:
The user need rights to change DHCP not IPAM

C. Members of the DHCP Administrators group can view and modify any data at the DHCP
server.

You want to configure a security relationship by which users in the Melbourne domain of
the Adatum.com forest are able to access resources in the Sydney domain of the Contoso
forest. Users do not require access to resources in any other domains in either forest.
Which of the following should you configure to accomplish this goal?
A. Configure a forest trust

B. Configure an external trust
Answer: B
The domain contains a server named Server1 that runs Windows Server 2012 R2 and has
the DNS Server server role installed.
Server1 is configured to use a DNS server from an Internet Service Provider (ISP) as a
forwarder.
Corporate management requires that client computers only resolve names of contoso.com
computers.
You need to configure Server1 to resolve names in the contoso.com zone only.
A. From DNS Manager, modify the root hints of Server1.

B. From Windows PowerShell, run the Remove-DnsServerForwarder cmdlet.
C. From Windows PowerShell, run the Set-NetDnsTransitionConfiguration cmdlet.
D. From DNS Manager, modify the Advanced properties of Server1.
Answer: A
Explanation:
If the DNS server does not know the address of the requested site, then it will forward the
request to another DNS server. In order to do so, the DNS server must know of the IP
address of another DNS server that it can forward the request to. This is the job of root
hints. Root hints provides a list of IP addresses of DNS servers that are considered to be

authoritative at the root level of the DNS hierarchy(also known as root name server).
You create an Active Directory snapshot of DC1 each day.
You need to view the contents of an Active Directory snapshot from two days ago.
A. Stop the Active Directory Domain Services (AD DS) service.

B. Run the ntdsutil.exe command.
C. Run the dsamain.exe command.
D. Start the Volume Shadow Copy Service (VSS).
Answer: B
The forest contains three Active Directory sites named SiteA, SiteB, and SiteC.
The sites contain four domain controllers.

and SiteB.
What should you do?
A. Create a site link bridge.

B. Create additional connection objects for DC3 and DC4.
C. Create additional connection objects for DC1 and DC2.
D. Increase the cost of the site link between SiteA and SiteC.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/dd277430.aspx#XSLTsection126121120120

You have an enterprise certification authority (CA) named CA1. You have a certificate
template named UserAutoEnroll that is based on the User certificate template. Domain
users are configured to autoenroll for UserAutoEnroll. A user named User1 has an email
address defined in Active Directory. A user named User2 does not have an email address
defined in Active Directory. You discover that User1 was issued a certificate based on
UserAutoEnroll template automatically. A request by user2 for a certificate based on the
UserAutoEnroll template fails. You need to ensure that all users can autoenroll for
certificated based on the UserAutoEnroll template.
Which setting should you configure from the properties on the UserAutoEnroll certificate
template?
A. Issuance Requirements
B. Request Handling
C. Cryptography
D. Subject Name
Answer: D
controllers.
client computers in the Branch site only.
You plan to deploy a new RODC to the perimeter network in the Branch site.

You need to ensure that the new RODC will be able to replicate from DC10.
What should you do first on DC10?
A. Run dcpromo and specify the /createdcaccount parameter.

B. Run the Active Directory Domain Services Configuration Wizard.
C. Run the Add-ADDSReadOnlyDomainControllerAccount cmdlet.
D. Enable the Bridge all site links setting.
Answer: C
Explanation:
Creates a read-only domain controller (RODC) account that can be used to install an
RODC in Active Directory.
Note:
* Notes
Once you have added the RODC account, you can add an RODC to a server computer by
using the Install-ADDSDomainController cmdlet with the -ReadOnlyReplica switch
parameter.
* Example
Adds a new read-only domain controller (RODC) account to the corp.contoso.com domain
using the North America site as the source site for the replication source domain controller.
C:\PS>Add-ADDSReadOnlyDomainControllerAccount -DomainControllerAccountName
RODC1 - DomainName corp.contoso.com -SiteName NorthAmerica
Reference: Add-ADDSReadOnlyDomainControllerAccount
You have a server named File1 that runs Windows Server 2012 R2.
File1 has the File Server role service installed.
You plan to back up all shared folders by using Windows Azure Online Backup.
You download and install the Windows Azure Online Backup Service Agent on File1.
You need to ensure that you use Windows Server Backup to back up data to Windows
Azure Online Backup.

What should you do?
A. From Computer Management, add the File1 computer account to the Backup Operators
group.
B. From the Services console, modify the Log On settings of the Windows Azure Online
Backup Service Agent.
C. From Windows Server Backup, run the Register Server Wizard.
D. From a command prompt, run wbadmin.exe enable backup.
Answer: C
Explanation:
http://blogs.technet.com/b/windowsserver/archive/2012/03/28/microsoft-online-
backupservice.aspx

The domain contains a file server named Server6 that runs Windows Server 2012 R2.
Server6 contains a folder named Folder1. Folder1 is shared as Share1.
The NTFS permissions on Folder1 are shown in the exhibit. (Click the Exhibit button.)
The domain contains two global groups named Group1 and Group2.
You need to ensure that only users who are members of both Group1 and Group2 are
denied access to Folder1.
Choose two.)
A. Remove the Deny permission for Group1 from Folder1.

B. Deny Group2 permission to Folder1.
C. Install a domain controller that runs Windows Server 2012 R2.
D. Create a conditional expression.
E. Deny Group2 permission to Share1.

F. Deny Group1 permission to Share1.
Answer: C,D
Explanation:
* Conditional Expressions for Permission Entries Windows Server 2008 R2 and Windows 7
enhanced Windows security descriptors by introducing a conditional access permission
entry. Windows Server 2012 R2 takes advantage of conditional access permission entries
by inserting user claims, device claims, and resource properties, into conditional
expressions. Windows Server 2012 R2 security evaluates these expressions and allows or
denies access based on results of the evaluation. Securing access to resources through
claims is known as claims-based access control. Claims-based access control works with
traditional access control to provide an additional layer of authorization that is flexible to the
varying needs of the enterprise environment.
http://social.technet.microsoft.com/wiki/contents/articles/14269.introducing-dynamicaccess-
control-en-us.aspx
R2. Server1 has Microsoft SQL Server 2012 installed.
You install the Active Directory Federation Services server role on Server2. You need to
configure Server2 as the first Active Directory Federation Services (AD FS) server in the
domain. The solution must ensure that the AD FS database is stored in a SQL Server
database on Server1.
A. From a command prompt, run fsutil.exe.

B. From Windows PowerShell, run Install-ADFSFarm.
C. From Server Manager, install the Federation Service Proxy.
D. From Server Manager, install the AD FS Web Agents.
Answer: B
Explanation:

A. Performs tasks that are related to file allocation table (FAT) and NTFS file systems, such
as managing reparse points, managing sparse files, or dismounting a volume.
B. Creates the first node of a new federation server farm
C. Not installing Proxy
D. Not Installing web agents
Parameter: -SQLConnectionString<String> Specifies the SQL Server database that will
store the AD FS configuration settings. If not specified, the AD FS installer uses the
Windows Internal Database to store configuration settings.

Microsoft 70 412

Uploaded by

Copyright:

Available Formats

Microsoft 70 412

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Microsoft 70 412

Uploaded by

Copyright:

Available Formats

s@lm@n

[ Total Questions: 424 ]

Topic No. of Questions

A Composite Solution With Just One Click - Certification Guaranteed 2

Your network contains an Active Directory forest named contoso.com.

What should you do?

A. Run dnscmd and specify the CacheLockingPercent parameter.

Run Set-DnsServerCache with the -LockingPercent switch.

A Composite Solution With Just One Click - Certification Guaranteed 3

Not A. You need to use the /config parameter as well:

dnscmd /Config /CacheLockingPercent<percent>

You plan to implement Data Deduplication on Server1.

A Composite Solution With Just One Click - Certification Guaranteed 4

Ref: Plan to Deploy Data Deduplication

Question No : 3 DRAG DROP - (Topic 1)

A Composite Solution With Just One Click - Certification Guaranteed 5

A Composite Solution With Just One Click - Certification Guaranteed 6

* Configure the components and policy

Deploy the central access policy

A. Run Enable-AdfsDeviceRegistration -PrepareActiveDirectory.

C. To enable Device Registration Service

E. Enable seamless second factor authentication

A Composite Solution With Just One Click - Certification Guaranteed 7

Reference: Configure a federation server with Device Registration Service.

A domain administrator named Admin1 logs on to Server1.

A Composite Solution With Just One Click - Certification Guaranteed 8

What should you do?

A. Install the Active Directory Certificate Services (AD CS) tools.

The error message is related to missing role configuration.

* Cannot Manage Active Directory Certificate Services

A Composite Solution With Just One Click - Certification Guaranteed 9

What should you do?

Proposed permissions enable an administrator to more accurately model the impact of

Reference: Access Control and Authorization Overview

A Composite Solution With Just One Click - Certification Guaranteed 10

Which cmdlet should you run?

Add-ClusterGenericApplicationRole -CommandLine NewApplication.exe

Name OwnerNode State

A Composite Solution With Just One Click - Certification Guaranteed 11

Question No : 8 HOTSPOT - (Topic 1)

A Composite Solution With Just One Click - Certification Guaranteed 12

A Composite Solution With Just One Click - Certification Guaranteed 13

A Composite Solution With Just One Click - Certification Guaranteed 14

/ In application policy drop-down list select Certificate Request Agent.

A Composite Solution With Just One Click - Certification Guaranteed 15

Question No : 9 HOTSPOT - (Topic 1)

You install the DHCP Server server role on both servers.

A Composite Solution With Just One Click - Certification Guaranteed 16

What Windows PowerShell cmdlet should you run on Server1?

To answer, select the appropriate options in the answer area.

A Composite Solution With Just One Click - Certification Guaranteed 17

A Composite Solution With Just One Click - Certification Guaranteed 18

Server2 hosts a virtual machine named VM1.

What should you do?

A Composite Solution With Just One Click - Certification Guaranteed 19

What should you identify?

A. The FQDN of the AD FS server

A Composite Solution With Just One Click - Certification Guaranteed 20

To add a host (A) record to corporate DNS for a federation server

A Composite Solution With Just One Click - Certification Guaranteed 21