QUESTION 131
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1. Server1 runs Windows Server 2012 R2. On Server1, you create a printer named Printer1. You share Printer1 and publish Printer1 in Active Directory.
You need to provide a group named Group1 with the ability to manage Printer1.
What should you do?
A. From Print Management, configure the Sharing settings of Printer1.
B. From Active Directory Users and Computers, configure the Security settings of Server1- Printer1.
C. From Print Management, configure the Security settings of Printer1.
D. From Print Management, configure the Advanced settings of Printer1.
Answer: C
Explanation:
Set permissions for print servers
Note:
Open Print Management.
In the left pane, clickPrint Servers, right-click the App1icable print server and then clickProperties. On theSecuritytab, underGroup or users names, click a user or group for which you want to set permissions.
UnderPermissions for <user or group name>, select theAlloworDenycheck boxes for the permissions listed as needed.
To editSpecial permissions, clickAdvanced.
On thePermissionstab, click a user group, and then clickEdit. In thePermission Entrydialog box, select theAlloworDenycheck boxes for the permissions that you want to edit.
Reference: Set Permissions for Print Servers
QUESTION 132
Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2.
Client computers run either Windows 7 or Windows 8.
All of the computer accounts of the client computers reside in an organizational unit (OU) named Clients. A Group Policy object (GPO) named GP01 is linked to the Clients OU. All of the client computers use a DNS server named Server1.
You configure a server named Server2 as an ISATAP router. You add a host (A) record for ISATAP to the contoso.com DNS zone.
You need to ensure that the client computers locate the ISATAP router.
What should you do?
A. Run the Add-DnsServerResourceRecord cmdlet on Server1.
B. Configure the DNS Client Group Policy setting of GPO1.
C. Configure the Network Options Group Policy preference of GPO1.
D. Run the Set-DnsServerGlobalQueryBlockList cmdlet on Server1.
Answer: D
Explanation:
Windows Server 2008 introduced a new feature, called “Global Query Block list”, which prevents somearbitrary machine from registering the DNS name of WPAD. This is a good security feature, as it prevents someone from just joining your network, and setting himself up asa proxy. The dynamic update feature of Domain Name System (DNS) makes it possible for DNS client computers toregister and dynamically update their resource records with a DNS server whenever a client changes itsnetwork address or host name. This reduces the need for manual administration of zone records. This convenience comes at a cost, however,because any authorized client can register any unused host name, even a host name that might havespecial significance for certain Applications. This can allow a malicious user to take over a special nameand divert certain types of network traffic to that user’s computer. Two commonly deployed protocols are particularly vulnerable to this type of takeover: the Web ProxyAutomatic Discovery Protocol (WPAD) and the Intra-site Automatic Tunnel Addressing Protocol (ISATAP). Even if a network does not deploy these protocols, clients that are configured to use them are vulnerable to thetakeover that DNS dynamic update enables. Most commonly, ISATAP hosts construct their PRLs by using DNS to locate a host named isatap on the localdomain. For example, if the local domain is corp.contoso.com, an ISATAP-enabled host queries DNS to obtainthe IPv4 address of a host named
isatap.corp.contoso.com. In its default configuration, the Windows Server 2008 DNS Server service maintains a list of names that, ineffect, it ignores when it receives a query to resolve the name in any zone for which the server is authoritative. Consequently, a malicious user can spoof an ISATAP router in much the same way as a malicious user canspoof a WPAD server: A malicious user can use dynamic update to register the user’s own computer as acounterfeit ISATAP router and then divert traffic between ISATAP-enabled computers on the network. The initial contents of the block list depend on whether WPAD or ISATAP is already deployed when you addthe DNS server role to an existing Windows Server 2008 deployment or when you upgrade an earlier versionof Windows Server running the DNS Server service. Add- DnsServerResourceRecord – The Add-DnsServerResourceRecordcmdlet adds a resource record for aDomain Name System (DNS) zone on a DNS server. You can add different types of resource records. Use different switches for different record types. By using this cmdlet, you can change a value for a record, configure whether a record has a time stamp,whether any authenticated user can update a record with the same owner name, and change lookup timeoutvalues, Windows Internet Name Service (WINS) cache settings, and replication settings. Set-DnsServerGlobalQueryBlockList – The Set-
DnsServerGlobalQueryBlockListcmdlet changes settingsof a global query block list on a Domain Name System (DNS) server. This cmdlet replaces all names in the list of names that the DNS server does not resolve with the names thatyou specify. If you need the DNS server to resolve names such as ISATAP and WPAD, remove these names from the list. Web Proxy Automatic Discovery Protocol (WPAD) and Intra-site Automatic Tunnel Addressing Protocol(ISATAP) are two commonly deployed protocols that are particularly vulnerable to hijacking.
http://technet.microsoft.com/en-us/library/jj649857(v=wps.620).aspx http://technet.microsoft.com/en-us/library/cc794902%28v=ws.10%29.aspx http://technet.microsoft.com/en-us/security/bulletin/ms09-008
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0093
Windows DNS Server in Microsoft Windows 2000 SP4, Server 2003 SP1 and SP2, and Server 2008, whendynamic updates are enabled, does not restrict registration of the “wpad” hostname, which allows remoteauthenticated users to hijack the Web Proxy AutoDiscovery (WPAD) feature, and conduct man-in-the-middleattacks by spoofing a proxy server, via a Dynamic Update request for this hostname, aka “DNS ServerVulnerability in WPAD Registration Vulnerability,” a related issue to CVE- 2007-1692.
QUESTION 133
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the Remote Access server role installed.
A user named User1 must connect to the network remotely. The client computer of User1 requires Challenge Handshake Authentication Protocol (CHAP) for remote connections. CHAP is enabled on Server1.
You need to ensure that User1 can connect to Server1 and authenticate to the domain.
What should you do from Active Directory Users and Computers?
A. From the properties of Server1, select Trust this computer for delegation to any service (Kerberos only).
B. From the properties of Server1, assign the Allowed to Authenticate permission to User1.
C. From the properties of User1, select Use Kerberos DES encryption types for this account.
D. From the properties of User1, select Store password using reversible encryption.
Answer: D
Explanation:
The Store password using reversible encryption policy setting provides support for Applications that useprotocols that require the user’s password for authentication. Storing encrypted passwords in a way that isreversible means that the encrypted passwords can be decrypted. A knowledgeable attacker who is able tobreak this encryption can then log on to network resources by using the compromised account. For this reason,never enable Store password using reversible encryption for all users in the domain unless Applicationrequirements outweigh the need to protect password information. If you use the Challenge Handshake Authentication Protocol (CHAP) through remote access or InternetAuthentication Services (IAS), you must enable this policy setting. CHAP is an authentication protocolthat is used by remote access and network connections.
Digest Authentication in Internet Information Services(IIS) also requires that you enable this policy setting. If your organization uses CHAP through remote access or IAS, or Digest Authentication in IIS, you mustconfigure this policy setting to Enabled. This presents a security risk when you App1y the setting through GroupPolicy on a user-by-user basis because it requires the appropriate user account object to be opened in ActiveDirectory Users and Computers.
http://technet.microsoft.com/pt-pt/library/hh994559%28v=ws.10%29.aspx
QUESTION 134
Your network contains a Hyper-V host named Hyperv1 that runs Windows Server 2012 R2.
Hyperv1 has a virtual switch named Switch1.
You replace all of the network adapters on Hyperv1 with new network adapters that support single-root I/O virtualization (SR-IOV). You need to enable SR-IOV for all of the virtual machines on Hyperv1.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A. On each virtual machine, modify the Advanced Features settings of the network adapter.
B. Modify the settings of the Switch1 virtual switch.
C. Delete, and then recreate the Switch1 virtual switch.
D. On each virtual machine, modify the BIOS settings.
E. On each virtual machine, modify the Hardware Acceleration settings of the network adapter.
Answer: CE
Explanation:
The first step when allowing a virtual machine to have connectivity to a physical network is to create an external virtual switch using Virtual Switch Manager in Hyper-V Manager. The additional step that is necessary when using SR-IOV is to ensure the checkbox is checked when the virtual switch is being created. It is not possible to change a “non SR-IOV mode” external virtual switch into an “SR-IOV mode” switch. The choice must be made a switch creation time.
E: Once a virtual switch has been created, the next step is to configure a virtual machine. SR-IOV in Windows Server “8” is supported on x64 editions of Windows “8” as a guest operating system (as in Windows “8” Server, and Windows “8” client x64, but not x86 client). We have rearranged the settings for a virtual machine to introduce sub-nodes under a network adapter, one of which is the hardware acceleration node. At the bottom is a checkbox to enable SR-IOV.
Note:
* Steps:
/ SR-IOV must be enabled on virtual switch
/ Install additional network drivers in the guest OS
/ Enable SR-IOV within the VMs though Hyper-V Manager
* Single Root I/O Virtualization (SR-IOV) is a standard introduced by the PCI-SIG that owns and manages PCI specifications as open industry standards.
SR-IOV enables network traffic to bypass the software switch layer of the Hyper-V Virtualization stack to reduce the I/O overhead in this layer. It allows an SR-IOV virtual function of a physical network adapter to be assigned directly to a virtual machine to increase network throughput by reducing latency. Host CPU overhead also get reduced for processing network traffic.
* The diagram below illustrates how SR-IOV allows virtual machines to directly address the physical NIC.
Reference: Everything you wanted to know about SR-IOV in Hyper-V Part 5
QUESTION 135
Your network contains a server named Server1 that runs Windows Server 2012 R2. Server1 is a member of a workgroup. You need to configure a local Group Policy on Server1 that will apply only to non- administrators.
Which tool should you use?
A. Server Manager
B. Group Policy Management Editor
C. Group Policy Management
D. Group Policy Object Editor
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc766291%28v=ws.10%29.aspx
QUESTION 136
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server! that runs Windows Server 2012 R2. Server1 contains a virtual machine named VM1 that runs Windows Server 2012 R2.
You need to ensure that a user named User1 can install Windows features on VM1. The solution must minimize the number of permissions assigned to User1.
To which group should you add User1?
A. Administrators on VM1
B. Power Users on VM1
C. Hyper-V Administrators on Server1
D. Server Operators on Server1
Answer: A
Explanation:
In Windows Server 2012 R2, the Server Manager console and Windows PowerShell-cmdlets for ServerManager allow installation of roles and features to local or remote servers, or offline virtual hard disks (VHDs).
You can install multiple roles and features on a single remote server or offline VHD in a single Add Roles andFeatures Wizard or Windows PowerShell session. You must be logged on to a server as an administrator to install or uninstall roles, role services, andfeatures. If you are logged on to the local computer with an account that does not have administrator rights onyour target server, right-click the target server in the Servers tile, and then click Manage As to provide anaccount that has administrator rights. The server on which you want to mount an offline VHD must be added toServer Manager, and you must have Administrator rights on that server.
http://technet.microsoft.com/en-us/library/hh831809.aspx
QUESTION 137
Your network contains an Active Directory domain named adatum.com. The domain contains a member server named LON-DC1. LON-DC1 runs Windows Server 2012 R2 and has the DHCP Server server role installed.
The network contains 100 client computers and 50 IP phones. The computers and the phones are from the same vendor. You create an IPv4 scope that contains addresses from 172.16.0.1 to 172.16.1.254.
You need to ensure that the IP phones receive IP addresses in the range of 172.16.1.100 to 172.16.1.200. The solution must minimize administrative effort.
What should you create?
A. Server level policies
B. Filters
C. Reservations
D. Scope level policies
Answer: D
Explanation:
When a client matches the conditions of a policy, the DHCP server responds to the clients based on the settings of a policy.
Settings associated to a policy can be an IP address range and/or options.
An administrator could configure the policy to provide an IP address from a specified sub-range within the overall IP address range of the scope.
You can also provide different option values for clients satisfying this policy.
Policies can be defined server wide or for a specific scope.
A server wide policy – on the same lines as server wide option values – is applicable to all scopes on the DHCP server.
A server wide policy however cannot have an IP address range associated with it.
There a couple of ways to segregate clients based on the type of device. One way to do this is by using vendor class/identifier.
This string sent in option 60 by most DHCP clients identify the vendor and thereby the type of the device.
Another way to segregate clients based on device type is by using the MAC address prefix. The first three bytes of a MAC address is called OUI and identify the vendor or manufacturer of the device.
By creating DHCP policies with conditions based on Vendor Class or MAC address prefix, you can now segregate the clients in your subnet in such a way, that devices of a specific type get an IP address only from a specified IP address range within the scope. You can also give different set of options to these clients.
In conclusion, DHCP policies in Windows Server 2012 R2 enables grouping of clients/devices using the different criteria and delivering targeted network configuration to them.
Policy based assignment in Windows Server 2012 R2 DHCP allows you to create simple yet powerful rules to administer DHCP on your network.
QUESTION 138
Your network contains an Active Directory forest. The forest contains a single domain named contoso.com. The domain contains four domain controllers. The domain controllers are configured as shown in the following table.
You plan to deploy a new domain controller named DC5 in the contoso.com domain.
You need to identify which domain controller must be online to ensure that DC5 can be promoted successfully to a domain controller. Which domain controller should you identify?
A. DC1
B. DC2
C. DC3
D. DC4
Answer: D
Explanation:
Relative ID (RID) Master:
Allocates active and standby RID pools to replica domain controllers in the same domain. (corp.contoso.com) Must be online for newly promoted domain controllers to obtain a local RID pool that is required to advertise or when existing domain controllers have to update their current or standby RID pool allocation.
The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC’s allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain’s RID master. The domain RID master responds to the request by retrieving RIDs from the domain’s unallocated RID pool and assigns them to the pool of the requesting DC At any one time, there can be only one domain controller acting as the RID master in the domain.
The Infrastructure Master – The purpose of this role is to ensure that cross-domain objectreferences are correctly handled. For example, if you add a user from one domain to a security group from a different domain, the Infrastructure Master makes sure this is done properly. As you can guess however, if your Active Directory deployment has only a single domain, then the Infrastructure Master role does no work at all, and even in a multi-domain environment it is rarely used except when complex user administration tasks are performed, so the machine holding this role doesn’t need to have much horsepower at all.
http://support.microsoft.com/kb/223346
http://en.wikipedia.org/wiki/Flexible_single_master_operation
QUESTION 139
Your network contains an Active Directory domain named contoso.com. The domain contains a member server named HVServer1. HVServer1 runs Windows Server 2012 R2 and has the Hyper-V server role installed.
HVServer1 hosts two virtual machines named Server1 and Server2. Both virtual machines connect to a virtual switch named Switch1.
On Server2, you install a network monitoring application named App1.
You need to capture all of the inbound and outbound traffic to Server1 by using App1.
Which two commands should you run from Windows PowerShell? (Each correct answer presents part of the solution. Choose two.)
A. Get-VM “Server2” | Set-VMNetworkAdapter -IovWeight 1
B. Get-VM “Server1” | Set-VMNetworkAdapter -Allow/Teaming On
C. Get-VM “Server1” | Set-VMNetworkAdapter -PortMirroring Source
D. Get-VM “Server2” | Set-VMNetworkAdapter -PortMirroring Destination
E. Get-VM “Server1” | Set-VMNetworkAdapter -IovWeight 0
F. Get-VM “Server2” | Set-VMNetworkAdapter-AllowTeaming On
Answer: CD
Explanation:
C: Catching the traffic from Server1
D: Catching the traffic to Server1.
Note:
* Get-VM
Gets the virtual machines from one or more Hyper-V hosts.
-ComputerName<String[]>
Specifies one or more Hyper-V hosts from which virtual machines are to be retrieved. NetBIOS names, IP addresses, and fully-qualified domain names are allowable. The default is the local computer — use “localhost” or a dot (“.”) to specify the local computer explicitly.
* Set-VMNetworkAdapter
Configures features of the virtual network adapter in a virtual machine or the management operating system.
* -PortMirroring<VMNetworkAdapterPortMirroringMode>
Specifies the port mirroring mode for the network adapter to be configured. Allowed values are None, Source, and Destination. If a virtual network adapter is configured as Source, every packet it sends or receives is copied and forwarded to a virtual network adapter configured to receive the packets. If a virtual network adapter is configured as Destination, it receives copied packets from the source virtual network adapter. The source and destination virtual network adapters must be connected to the same virtual switch. Specify None to disable the feature.
Reference: Set-VMNetworkAdapter; Get-VM
http://technet.microsoft.com/en-us/library/hh848479%28v=wps.620%29.aspx http://technet.microsoft.com/en-us/library/hh848457%28v=wps.620%29.aspx
QUESTION 140
You have a server named Server 1. Server1 runs Windows Server 2012 R2. Server1 has a thin provisioned disk named Disk1. You need to expand Disk1. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. From File and Storage Services, extend Disk1.
B. From File and Storage Services, add a physical disk to the storage pool.
C. From Disk Management, extend the volume.
D. From Disk Management, delete the volume, create a new volume, and then format the volume.
E. From File and Storage Services, detach Disk1.
Answer: AB
Explanation:
Step 1 (B): if required add physical disk capacity.
Step 2 (A): Dynamically extend the virtual disk (not volume). Windows Server 2012 Storage Space subsystem now virtualizes storage by abstracting multiple physical disksinto a logical construct with specified capacity. The process is to group selected physical disks into a container,the so-called storage pool, such that the total capacity collectively presented by those associated physicaldisks can appear and become manageable as a single and seemingly continuous space. Subsequently astorage administrator creates a virtual disk based on a storage pool, configure a storage layout which isessentially a RAID level, and expose the storage of the virtual disk as a drive letter or a mapped folder inWindows Explorer.
The system administrator uses File and Storage Services in Server Manager or the Disk Management tool torescan the disk, bring the disk online, and extend the disk size.
http://blogs.technet.com/b/yungchou/archive/2012/08/31/windows-server-2012- storagevirtualization-explained.aspx
Passing Microsoft 70-410 Exam successfully in a short time! Just using Braindump2go’s Latest Microsoft 70-410 Dump: