QUESTION 101
Your network contains two Hyper-V hosts named Host1 and Host2. Host1 contains a virtual machine named VM1. Host2 contains a virtual machine named VM2. VM1 and VM2 run Windows Server 2012 R2. You install the Network Load Balancing feature on VM1 and VM2. You need to ensure that the virtual machines are configured to support Network Load Balancing (NLB). Which virtual machine settings should you configure on VM1 and VM2?
A. Router guard
B. DHCP guard
C. Port mirroring
D. MAC address
Answer: D
Explanation:
In Hyper-V, the VM host prevents dynamic MAC address updates as an extra layer of security in thedatacenter. This is because the VM may have full administrator rights, yet it may be untrusted in thedatacenter, for example when the VM hosting is provided by an independent hosting company. In this scenario,we need to make sure that one VM cannot cause a DOS or information disclosure attack against another VM. If a VM is able to spoof its MAC address, then it can spoof the MAC addresses of other VMs and impactother VMs on that host. The physical switches have similar protections and it is up to the admin to enable thatprotection or not. If you do not enable spoofing of MAC address prior to configuring NLB on the VM you could potentially haveproblems with the NLB cluster.
When configuring NLB in unicast mode on Hyper-V with enable spoofing of MAC Address disabled you maysee some of the following symptoms:
When initially configuring NLB you will lose network connectivity on the network adaptor NLB was configuredon.
?There will be an NLB error event in the Windows Event Log stating that the network adaptor does not supportdynamic MAC address updates.
After rebooting the server, NLB will appear to be bound to the network adapter, but the cluster VIP will nothave been added to the network adaptor.
?The cluster MAC address will still be the original MAC address associated with the network adaptor prior toconfiguring NLB. Use CMD>ipconfig /all to view the MAC address.
It should start with “02-BF-***”
If you ignore all previous symptoms and manually add the VIP you could get an IP conflict if there are othernodes in the cluster that have the same VIP.
With that said, to allow VM guests to run NLB you need to set the VM property for “Enable spoofing of MACAddress”.
To enable spoofing of MAC Addresses open the Hyper-V management console. Make sure the VM is stoppedopen the properties of the VM. Select the Network Adaptor for the NLB VM and check the “Enable spoofing ofMAC Address” and click OK. Then start the VM.
QUESTION 102
Your network contains a Windows Server 2012 R2 image named Server12.wim. Server12.wim contains the images shown in the following table.
Server12.wim is located in C:\.
You need to enable the Windows Server Migration Tools feature in the Windows Server 2012 R2 Server Datacenter image. You want to achieve this goal by using the minimum amount of Administrative effort.
Which command should you run first?
A. dism.exe /mount-wim /wimfile:c:\Server12.wim /index:4 /mountdir:c:\mount
B. imagex.exe /capture c: c:\Server12.wim “windows server 2012server datacenter”
C. dism.exe /image: c:\Server12.wim /enable-feature /featurename: servermigration
D. imagex.exe /apply c:\Server12.wim 4 c:\
Answer: A
Explanation:
A. Mounts the image before making any chnages
B. imagex /capture creates windows images .wim
C. You need to mount the image first
D. imagex /App1y App1ies image to drive
The Deployment Image Servicing and Management (DISM) tool is a command-line tool that is used to modifyWindows?images. You can use DISM to enable or disable Windows features directly from the commandprompt, or by App1ying an answer file to the image. You can enable or disable Windows features offline on a WIM or VHD file, or online on a running operating system.
You can also use the DISM image management command to list the image index numbers or to verify thearchitecture for the image that you are mounting.ex:
Dism /Mount-Image /ImageFile:C:\test\images\install.wim /Name:”Base Windows Image”
/MountDir:C:\test\offline
By default, DISM is installed at C:\Program Files (x86)\Windows Kits\8.0\Assessment and
Deployment Kit\Deployment Tools\
http://technet.microsoft.com/en-us/library/hh824822.aspx
http://technet.microsoft.com/en-us/library/hh825258.aspx
http://technet.microsoft.com/en-us/library/cc749447(v=ws.10).aspx http://technet.microsoft.com/en-us/library/dd744382(v=ws.10).aspx
QUESTION 103
Your network contains an Active Directory domain named contoso.com. The network contains a domain controller named DC1 that has the DNS Server server role installed. DC1 has a standard primary DNS zone for contoso.com.
You need to ensure that only client computers in the contoso.com domain will be able to add their records to the contoso.com zone.
What should you do first?
A. Modify the Security settings of Dc1
B. Modify the Security settings of the contoso.com zone.
C. Store the contoso.com zone in Active Directory
D. Sign the contoso.com zone.
Answer: C
Explanation:
C. Only Authenticated users can create records when zone is stored in AD Secure dynamic updates allow an administrator to control what computers update what names and preventunauthorized computers from overwriting existing names in DNS. If you have an Active Directory infrastructure, you can only use Active Directory – integrated zones on ActiveDirectory domain controllers. If you are using Active Directory – integrated zones, you must decide whether or not to store Active Directory – integrated zones in the Application directory partition. To configure computers to update DNS data more securely, store DNS zones in Active Directory DomainServices (AD DS) and use the secure dynamic update feature. Secure dynamic update restricts DNS zone updates to only those computers that are authenticated and joinedto the Active Directory domain where the DNS server is located and to the specific security settings that aredefined in the access control lists (ACLs) for the DNS zone.
http://technet.microsoft.com/en-us/library/cc731204(v=ws.10).aspx http://technet.microsoft.com/en-us/library/cc755193.aspx
http://technet.microsoft.com/en-us/library/cc786068%28v=ws.10%29.aspx
QUESTION 104
Your network contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Hyper-V server role installed. Server1 hosts four virtual machines named VM1, VM2, VM3, and VM4. Server1 is configured as shown in the following table.
You install a network monitoring application on VM2.
You need to ensure that all of the traffic sent to VM3 can be captured on VM2.
What should you configure?
A. NUMA topology
B. Resource control
C. resource metering
D. virtual Machine Chimney
E. the VLAN ID
F. Processor Compatibility
G. the startup order
H. Automatic Start Action
I. Integration Services
J. Port mirroring
K. Single-root I/O virtualization
Answer: J
Explanation:
J. With Hyper-V Virtual Switch port mirroring, you can select the switch ports that are monitored as well as the switch port that receives copies of all the traffic
http://technet.microsoft.com/en-us/library/jj679878.aspx#bkmk_portmirror
QUESTION 105
Your network contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Hyper-V server role installed. Server1 hosts four virtual machines named VM1, VM2, VM3, and VM4. Server1 is configured as shown in the following table.
You plan to schedule a complete backup of Server1 by using Windows Server Backup.
You need to ensure that the state of VM1 is saved before the backup starts.
What should you configure?
A. NUMA topology
B. Resource control
C. resource metering
D. virtual Machine Chimney
E. the VLAN ID
F. Processor Compatibility
G. the startup order
H. Automatic Start Action
I. Integration Services
J. Port mirroring
K. Single-root I/O virtualization
Answer: I
Explanation:
What is the Hyper-V Saved State?
Some Hyper-V virtual machines briefly go offline into a “Saved State” at the initial phase of a backup.
While the backup is running, they usually come back online after a couple of seconds. Background KnowledgeThe decision to pull Hyper-V virtual machines offline into a Saved State is done solely within Hyper-VManagement Services.
Backup software utilities have no way to force a live backup when Hyper-V determines it can’t and shouldn’t bedone.There are many factors that are considered by Hyper-V when it decides whether to take a VM offline or not,Hyper-V Live Backup Requirements:
To achieve zero downtime live backups of virtual machines, you need the following conditions met:
1. The VM guest needs to have Integration Services installed, enabled, and running (COM+ System Application Service, Distributed Transaction Coordinator Service, and Volume Shadow Copy Service). Alsoreview the VM settings in Hyper-V, the ‘backup’ option needs to be checked.
2. All disks involved need to be formatted with NTFS, including the disks within the VM.
3. The Volume Shadow Copy Service and related VSS services need to be enabled and running.
4. The shadow copy storage space for each drive must be available to Hyper-V VSS Writer and be located atthe same volume. For instance, the storage space for drive C: needs to be on drive C: itself, and so on. Usethe VSSADMIN command from the command line to check the settings. (Use:
vssadmin list shadowstorage /vssadmin resize shadowstorage)
5. Ensure the VMs are partitioned using ‘basic disk’ formatting. At the moment Hyper-V does not support livebackup for VMs formatted using dynamic disk partitioning or GPT.
7. Ensure you have at least about 20% free space on each drive involved, such as the drive on the host andthe VM’s main system drive.
8. Ensure plenty of un-fragmented RAM is available on the host. If a machine is pulled into Saved State, Hyper-
V may not be able to bring the VM back online if it can’t allocate a continuous block of RAM. Note that theremay be sufficient total RAM available but not enough to place a single block. You should therefore aim to keepat least 512 MB to 1 GB of RAM free when all VMs are powered up.
http://msdn.microsoft.com/en-us/library/dd405549(v=vs.85).aspx http://backupchain.com/Understanding-Saved-State-Hyper-V-Backup.html
QUESTION 106
Your network contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Hyper-V server role installed. Server1 hosts four virtual machines named VM1, VM2, VM3, and VM4. Server1 is configured as shown in the following table.
VM3 is used to test applications. You need to prevent VM3 from synchronizing its clock to Server1. What should you configure?
A. NUMA topology
B. Resource control
C. resource metering
D. virtual Machine Chimney
E. the VLAN ID
F. Processor Compatibility
G. the startup order
H. Automatic Start Action
I. Integration Services
J. Port mirroring
K. Single-root I/O virtualization
Answer: I
Explanation:
By default when you install the Integration Services/Components you get time synchronization with the host OS, here is how to disable ongoing time synchronization. When you install the integration services/components in Hyper-V virtual machine you get a set of services installed and enabled by default.
Operating system shutdown
Time synchronization
Data exchange heartbeat
Backup via VSS
If you do not want the virtual machine to continuously synch its time to the Hyper-V host using the integration service, you can disable the integration service from the Hyper-V manager.
Open up the settings for the VM
Under Management, highlight the Integration Services option and you will get a list of the Integration
Services installed and enabled Uncheck the Time Synchronization service and press App1y. The virtual machine will now not sync its time with the Hyper-V host on a continuous basis….BUT it will always sync once at power on. This is required to boot strap the timer inside the virtual machine
http://www.virtualizationadmin.com/kbase/VirtualizationTips/ServerVirtualization/MicrosoftHyper- VTips/PerformanceandScalability/DisablingTimeSyncinaVM.html http://blogs.technet.com/b/virtualization/archive/2008/08/29/backing-up-hyper-v- virtualmachines.aspx
QUESTION 107
Your network contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Hyper-V server role installed. Server1 hosts four virtual machines named VM1, VM2, VM3, and VM4. Server1 is configured as shown in the following table.
You need to configure VM4 to track the CPU, memory, and network usage.
What should you configure?
A. NUMA topology
B. Resource control
C. resource metering
D. Virtual Machine Chimney
E. the VLAN ID
F. Processor Compatibility
G. the startup order
H. Automatic Start Action
I. Integration Services
J. Port mirroring
K. Single-root I/O virtualization
Answer: C
Explanation:
http://blogs.technet.com/b/meamcs/archive/2012/05/28/hyper-v-resource-metering-inwindows- server-2012-server-8-beta.aspx
Metrics
collected for each virtual machine using resource metering:
Average CPU usage, measured in megahertz over a period of time.
Average physical memory usage, measured in megabytes.
Minimum memory usage (lowest amount of physical memory). Maximum memory usage (highest amount of physical memory). Maximum amount of disk space allocated to a virtual machine. Total incoming network traffic, measured in megabytes, for a virtual network adapter. Total outgoing network traffic, measured in megabytes, for a virtual network adapter
QUESTION 108
Your network contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Hyper-V server role installed. Server1 hosts four virtual machines named VM1, VM2, VM3, and VM4. Server1 is configured as shown in the following table.
You need to ensure that VM1 can use more CPU time than the other virtual machines when the CPUs on Server1 are under a heavy load.
What should you configure?
A. NUMA topology
B. Resource control
C. resource metering
D. Virtual Machine Chimney
E. The VLAN ID
F. Processor Compatibility
G. The startup order
H. Automatic Start Action
I. Integration Services
J. Port mirroring
K. Single-root I/O virtualization
Answer: B
Explanation:
B. Resource controls provide you with several ways to control the way that Hyper-V allocates resources to virtual machine
When you create a virtual machine, you configure the memory and processor to provide the appropriate computing resources for the workload you plan to run on the virtual machine. This workload consists of the guest operating system and all applications and services that will run at the same time on the virtual machine.
Resource controls provide you with several ways to control the way that Hyper-V allocates resources to virtual machines.
Virtual machine reserve. Of the processor resources available to a virtual machine, specifies the percentage that is reserved for the virtual machine. This setting guarantees that the percentage you specify will be available to the virtual machine. This setting can also affect how many virtual machines you can run at one time.
Virtual machine limit. Of the processor resources available to a virtual machine, specifies the maximum percentage that can be used by the virtual machine. This setting applies regardless of whether other virtual machines are running.
Relative weight. Specifies how Hyper-V allocates resources to this virtual machine when more than one virtual machine is running and the virtual machines compete for resources.
http://technet.microsoft.com/en-us/library/cc742470.aspx
QUESTION 109
Your network contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Hyper-V server role installed. Server1 hosts four virtual machines named VM1, VM2, VM3, and VM4. Server1 is configured as shown in the following table.
VM2 sends and receives large amounts of data over the network. You need to ensure that the network traffic of VM2 bypasses the virtual switches of the parent partition. What should you configure?
A. NUMA topology
B. Resource control
C. Resource metering
D. Virtual Machine Chimney
E. The VLAN ID
F. Processor Compatibility
G. The startup order
H. Automatic Start Action
I. Integration Services
J. Port mirroring
K. Single-root I/O virtualization
Answer: K
Explanation:
K. SR-IOV maximizes network throughput while minimizing network latency as well as the CPU overhead required for processing network traffic.
http://technet.microsoft.com/en-us/library/hh831410.aspx
QUESTION 110
Your network contains an Active Directory domain named contoso.com. The network contains a member server named Server1 that runs Windows Server 2012 R2. Server1 has the DNS Server server role installed and has a primary zone for contoso.com. The Active Directory domain contains 500 client computers. There are an additional 20 computers in a workgroup. You discover that every client computer on the network can add its record to the contoso.com zone.
You need to ensure that only the client computers in the Active Directory domain can register records in the contoso.com zone.
What should you do first?
A. Move the contoso.com zone to a domain controller that is configured as a DNS server
B. Configure the Dynamic updates settings of the contoso.com zone
C. Sign the contoso.com zone by using DNSSEC
D. Configure the Security settings of the contoso.com zone.
Answer: A
Explanation:
If you install DNS server on a non-DC, then you are not able to create AD-integrated zones. DNS update security is available only for zones that are integrated into AD DS. When you directory- integrate a zone, access control list (ACL) editing features are available in DNS Managerso that you can add or remove users or groups from the ACL for a specified zone or resource record. http://technet.microsoft.com/en-us/library/cc771255.aspx
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/9b041bbc-07654eed- bd1cd65027f05e9f/
http://blogs.msmvps.com/acefekay/2012/11/19/ad-dynamic-dns-updates-registration-rulesof- engagement/
1. Active Directory’s DNS Domain Name is NOT a single label name (“DOMAIN” vs the minimal requirement of”domain.com.” “domain.local,” etc).
2. The Primary DNS Suffix MUST match the zone name that is allowing updates. Otherwise the client doesn’tknow what zone name to register in. You can also have a different Conneciton Specific Suffix in addition to thePrimary DNS Suffix to register into that zone as well.
3. AD/DNS zone MUST be configured to allow dynamic updates, whether Secure or Secure and Non-Secure.
For client machines, if a client is not joined to the domain, and the zone is set to Secure, it will not registereither.
4. You must ONLY use the DNS servers that host a copy of the AD zone name or have a reference to get tothem. Do not use your ISP’s, an external DNS adddress, your router as a DNS address, or any other DNS thatdoes not have a copy of the AD zone. Internet resolution for your machines will be accomplished by the Rootservers (Root Hints), however it’s recommended to configure a forwarder for efficient Internet resolution. .
5. The domain controller is multihomed (which means it has more than one unteamed, active NIC, more thanone IP address, and/or RRAS is installed on the DC).
6. The DNS addresses configured in the client’s IP properties must ONLY reference the DNS server(s) hostingthe AD zone you want to update in. This means that you must NOT use an external DNS in any machine’s IP property in an AD environment.
You can’t mix them either. That’s because of the way the DNS Client side resolver service works. Even if youmix up internal DNS and ISP’s DNS addresses, the resolver algorithm can still have trouble asking the correctDNS server. It will ask the first one first. If it doesn’t get a response, it removes the first one from the eligibleresolvers list and goes to the next in the list. It will not go back to the first one unless you restart the machine,restart the DNS Client service, or set a registry entry to cut the query TTL to 0. The rule is to ONLY use yourinternal DNS server(s) and configure a forwarder to your ISP’s DNS for efficient Internet resolution.
This is the reg entry to cut the query to 0 TTL:
The DNS Client service does not revert to using the first server …The Windows 2000 Domain Name System (DNS) Client service (Dnscache) follows a certain algorithm when it decides the order in which to use the DNSservers …
http://support.microsoft.com/kb/286834
For more info, please read the following on the client side resolver service:
DNS, WINS NetBIOS & the Client Side Resolver, Browser Service, Disabling NetBIOS, Direct Hosted SMB(DirectSMB), If One DC is Down Does a Client logon to Another DC, and DNS Forwarders Algorithm if youhave multiple forwarders.
http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-clientside- resolver-browserservice-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-isdown-does-a- client-logon-to-another-dcand-dns-forwarders-algorithm.aspx
7. For DHCP clients, DHCP Option 006 for the clients are set to the same DNS server.
8. If using DHCP, DHCP server must only be referencing the same exact DNSserver(s) in it’s own IP properties in order for it to ‘force’ (if you setthat setting) registration into DNS. Otherwise, how would it know which DNSto send the reg data to? 9.
If the AD DNS Domain name is a single label name, such as “EXAMPLE”, and not the proper format of”example.com” and/or any child of that format, such as “child1.example.com”,
then we have a real big problem.
DNS
will not allow registration into a single label domain name.
This is for two reasons:
1. It’s not the proper hierachal format. DNS is hierarchal, but a single label name has no hierarchy.
It’s just asingle name.
2. Registration attempts causes major Internet queriesto the Root servers. Why? Because it thinks thesingle label name, such as “EXAMPLE”, is a TLD(Top Level Domain), such as “com”, “net”, etc. Itwill now try to find what Root name server out therehandles that TLD. In the end it comes back to itselfand then attempts to register. Unfortunately it doe NOTask itself first for the mere reason it thinks it’s a TLD.
(Quoted from Alan Woods, Microsoft, 2004):
“Due to this excessive Root query traffic, which ISC found from a study that discovered Microsoft DNS serversare causing excessive traffic because of single label names, Microsoft, being an internet friendly neighbor andwanting to stop this problem for their neighbors, stopped the ability to register into DNS with Windows 2000SP4, XP SP1, (especially XP,which cause lookup problems too), and Windows 2003. After all, DNS ishierarchal, so therefore why even allow single label DNS domain names?” The above also *especially* App1ies to Windows Vista, &, 2008, 2008 R2, and newer.
10. ‘Register this connection’s address” on the client is not enabled under the NIC’s IP properties, DNS tab.
11. Maybe there’s a GPO set to force Secure updates and the machine isn’t a joined member of the domain.
12. ON 2000, 2003 and XP, the “DHCP client” Service not running. In 2008/Vista and newer, it’s the DNSClient Service. This is a requirement for DNS registration and DNS resolution even if the client is not actuallyusing DHCP.
13. You can also configure DHCP to force register clients for you, as well as keep the DNS zone clean of old orduplicate entries. See the link I posted in my previous post.
Passing Microsoft 70-410 Exam successfully in a short time! Just using Braindump2go’s Latest Microsoft 70-410 Dump: