Mar 2016 updated: Examcollection Microsoft 70-411 exam fees 157-168

★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions

Free Instant Download NEW 70-411 Exam Dumps (PDF & VCE):
Available on: https://www.certleader.com/70-411-dumps.html


70-411 Product Description:
Exam Number/Code: 70-411 vce
Exam name: Administering Windows Server 2012
n questions with full explanations
Certification: Microsoft Certification
Last updated on Global synchronizing

Instant Access to Free VCE Files: Microsoft 70-411 Administering Windows Server 2012

70-411 examcollection

High quality of 70-411 practice exam materials and dumps for Microsoft certification for IT learners, Real Success Guaranteed with Updated 70-411 pdf dumps vce Materials. 100% PASS Today!

2016 Mar 70-411 Study Guide Questions:

Q157. Your network contains an Active Directory domain named contoso.com. The domain contains a server named NPS1 that has the Network Policy Server server role installed. All servers run Windows Server 2012 R2. 

You install the Remote Access server role on 10 servers. 

You need to ensure that all of the Remote Access servers use the same network policies. 

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) 

A. Configure each Remote Access server to use the Routing and Remote Access service (RRAS) to authenticate connection requests. 

B. On NPS1, create a remote RADIUS server group. Add all of the Remote Access servers to the remote RADIUS server group. 

C. On NPS1, create a new connection request policy and add a Tunnel-Type and a Service-Type condition. 

D. Configure each Remote Access server to use a RADIUS server named NPS1. 

E. On NPS1, create a RADIUS client template and use the template to create RADIUS clients. 

Answer: C,D 

Explanation: 

Connection request policies are sets of conditions and settings that allow network administrators to designate which RADIUS servers perform the authentication and authorization of connection requests that the server running Network Policy Server (NPS) receives from RADIUS clients. Connection request policies can be configured to designate which RADIUS servers are used for RADIUS accounting. When you configure Network Policy Server (NPS) as a Remote Authentication Dial-In User Service (RADIUS) proxy, you use NPS to forward connection requests to RADIUS servers that are capable of processing the connection requests because they can perform authentication and authorization in the domain where the user or computer account is located. For example, if you want to forward connection requests to one or more RADIUS servers in untrusted domains, you can configure NPS as a RADIUS proxy to forward the requests to the remote RADIUS servers in the untrusted domain. To configure NPS as a RADIUS proxy, you must create a connection request policy that contains all of the information required for NPS to evaluate which messages to forward and where to send the messages. 

: http://technet.microsoft.com/en-us/library/cc730866(v=ws.10).aspx 


Q158. Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1 that runs Windows Server 2012 R2. 

You view the effective policy settings of Server1 as shown in the exhibit. (Click the Exhibit button.) 


You need to ensure that an entry is added to the event log whenever a local user account is created or deleted on Server1. 

What should you do? 

A. In Servers GPO, modify the Advanced Audit Configuration settings. 

B. On Server1, attach a task to the security log. 

C. In Servers GPO, modify the Audit Policy settings. 

D. On Server1, attach a task to the system log. 

Answer: A 

Explanation: 

When you use Advanced Audit Policy Configuration settings, you need to confirm that these settings are not overwritten by basic audit policy settings. The following procedure shows how to prevent conflicts by blocking the application of any basic audit policy settings. 

Enabling Advanced Audit Policy Configuration 

Basic and advanced audit policy configurations should not be mixed. As such, it’s best practice to enable Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings in Group Policy to make sure that basic auditing is disabled. The setting can be found under Computer Configuration\Policies\Security Settings\Local Policies\Security Options, and sets the SCENoApplyLegacyAuditPolicy registry key to prevent basic auditing being applied using Group Policy and the Local Security Policy MMC snap-in. 

In Windows 7 and Windows Server 2008 R2, the number of audit settings for which success and failure can be tracked has increased to 53. Previously, there were nine basic auditing settings under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy. These 53 new settings allow you to select only the behaviors that you want to monitor and exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive number of log entries. In addition, because Windows 7 and Windows Server 2008 R2 security audit policy can be applied by using domain Group Policy, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity. 

Audit Policy settings 

Any changes to user account and resource permissions. 

Any failed attempts for user logon. 

Any failed attempts for resource access. 

Any modification to the system files. 

Advanced Audit Configuration Settings 

Audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as: 

. A group administrator has modified settings or data on servers that contain finance information. 

. An employee within a defined group has accessed an important file. 

. The correct system access control list (SACL) is applied to every file and folder or registry key on a computer or file share as a verifiable safeguard against undetected access. 

In Servers GPO, modify the Audit Policy settings - enabling audit account management setting will generate events about account creation, deletion and so on. 

Advanced Audit Configuration Settings 

Advanced Audit Configuration Settings ->Audit Policy 

-> Account Management -> Audit User Account Management 


In Servers GPO, modify the Audit Policy settings - enabling audit account management setting will generate events about account creation, deletion and so on. 


Reference: 

http: //blogs. technet. com/b/abizerh/archive/2010/05/27/tracing-down-user-and-computer-account-deletion-in-active-directory. aspx 

http: //technet. microsoft. com/en-us/library/dd772623%28v=ws. 10%29. aspx 

http: //technet. microsoft. com/en-us/library/jj852202(v=ws. 10). aspx 

http: //www. petri. co. il/enable-advanced-audit-policy-configuration-windows-server. htm 

http: //technet. microsoft. com/en-us/library/dd408940%28v=ws. 10%29. aspx 

http: //technet. microsoft. com/en-us/library/dd408940%28v=ws. 10%29. 

aspx#BKMK_step2 


Q159. Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1 that runs Windows Server 2012 R2. 

All client computers run Windows 8 Enterprise. 

DC1 contains a Group Policy object (GPO) named GPO1. 

You need to deploy a VPN connection to all users. 

What should you configure from User Configuration in GPO1? 

A. Policies/Administrative Templates/Network/Windows Connect Now 

B. Policies/Administrative Templates/Network/Network Connections 

C. Policies/Administrative Templates/Windows Components/Windows Mobility Center 

D. Preferences/Control Panel Settings/Network Options 

Answer: D 

Explanation: 

1. Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit. 

2. In the console tree under Computer Configuration or User Configuration, expand the Preferences folder, and then expand the Control Panel Settings folder. 

3. Right-click the Network Options node, point to New, and select VPN Connection. 

The Network Options extension allows you to centrally create, modify, and delete dial-up networking and virtual private network (VPN) connections. Before you create a network option preference item, you should review the behavior of each type of action possible with the extension. 

Reference: http: //technet.microsoft.com/en-us/library/cc772449.aspx 


Q160. Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. 

You have a Group Policy object (GPO) named GPO1 that contains hundreds of settings. GPO1 is linked to an organizational unit (OU) named OU1. OU1 contains 200 client computers. 

You plan to unlink GPO1 from OU1. 

You need to identify which GPO settings will be removed from the computers after GPO1 is unlinked from OU1. 

Which two GPO settings should you identify? (Each correct answer presents part of the solution. Choose two.) 

A. The managed Administrative Template settings 

B. The unmanaged Administrative Template settings 

C. The System Services security settings 

D. The Event Log security settings 

E. The Restricted Groups security settings 

Answer: A,D 

Explanation: 

There are two kinds of Administrative Template policy settings: Managed and Unmanaged . The Group Policy service governs Managed policy settings and removes a policy setting when it is no longer within scope of the user or computer. 

References: http: //technet. microsoft. com/en-us/library/cc778402(v=ws. 10). aspx http: //technet. microsoft. com/en-us/library/bb964258. aspx 


70-411 free exam

Avant-garde 70-411 actual test:

Q161. DRAG DROP 

Your network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2. All servers run Windows Server 2012 R2. 

You generalize Server2. 

You install the Windows Deployment Services (WDS) server role on Server1. 

You need to capture an image of Server2 on Server1. 

Which three actions should you perform? 

To answer, move the three appropriate actions from the list of actions to the answer area and arrange them in the correct order. 


Answer: 



Q162. Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. You plan to use fine-grained password policies to customize the password policy settings ofcontoso.com. 

You need to identify to which Active Directory object types you can directly apply the fine-grained password policies. 

Which two object types should you identify? (Each correct answer presents part of the solution. Choose two.) 

A. Users 

B. Global groups 

C. computers 

D. Universal groups 

E. Domain local groups 

Answer: A,B 

Explanation: 

First off, your domain functional level must be at Windows Server 2008. Second, Fine-grained password policies ONLY apply to user objects, and global security groups. Linking them to universal or domain local groups is ineffective. I know what you’re thinking, what about OU’s? Nope, Fine-grained password policy cannot be applied to an organizational unit (OU) directly. The third thing to keep in mind is, by default only members of the Domain Admins group can set fine-grained password policies. However, you can delegate this ability to other users if needed. 

Fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of user objects) and global security groups. 

You can apply Password Settings objects (PSOs) to users or global security groups: 

References: 

http: //technet. microsoft. com/en-us/library/cc731589%28v=ws. 10%29. aspx 

http: //technet. microsoft. com/en-us/library/cc731589%28v=ws. 10%29. aspx 

http: //technet. microsoft. com/en-us/library/cc770848%28v=ws. 10%29. aspx 

http: //www. brandonlawson. com/active-directory/creating-fine-grained-password-policies/ 


Q163. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that has the Remote Access server role installed. 

DirectAccess is implemented on Server1 by using the default configuration. 

You discover that DirectAccess clients do not use DirectAccess when accessing websites on the Internet. 

You need to ensure that DirectAccess clients access all Internet websites by using their DirectAccess connection. 

What should you do? 

A. Configure a DNS suffix search list on the DirectAccess clients. 

B. Configure DirectAccess to enable force tunneling. 

C. Disable the DirectAccess Passive Mode policy setting in the DirectAccess Client Settings Group Policy object (GPO). 

D. Enable the Route all traffic through the internal network policy setting in the DirectAccess Server Settings Group Policy object (GPO). 

Answer: B 

Explanation: 

With IPv6 and the Name Resolution Policy Table (NRPT), by default, DirectAccess clients separate their intranet and Internet traffic as follows: 

. DNS name queries for intranet fully qualified domain names (FQDNs) and all intranet traffic is exchanged over the tunnels that are created with the DirectAccess server or directly with intranet servers. Intranet traffic from DirectAccess clients is IPv6 traffic. 

. DNS name queries for FQDNs that correspond to exemption rules or do not match the intranet namespace, and all traffic to Internet servers, is exchanged over the physical interface that is connected to the Internet. Internet traffic from DirectAccess clients is typically IPv4 traffic. 

In contrast, by default, some remote access virtual private network (VPN) implementations, including the VPN client, send all intranet and Internet traffic over the remote access VPN connection. Internet-bound traffic is routed by the VPN server to intranet IPv4 web proxy servers for access to IPv4 Internet resources. It is possible to separate the intranet and Internet traffic for remote access VPN clients by using split tunneling. This involves configuring the Internet Protocol (IP) routing table on VPN clients so that traffic to intranet locations is sent over the VPN connection, and traffic to all other locations is sent by using the physical interface that is connected to the Internet. 

You can configure DirectAccess clients to send all of their traffic through the tunnels to the DirectAccess server with force tunneling. When force tunneling is configured, DirectAccess clients detect that they are on the Internet, and they remove their IPv4 default route. With the exception of local subnet traffic, all traffic sent by the DirectAccess client is IPv6 traffic that goes through tunnels to the DirectAccess server. 


Q164. Your network contains an Active Directory domain named contoso.com. All client computers run Windows 8.1. 

The network contains a shared folder named FinancialData that contains five files. 

You need to ensure that the FinancialData folder and its contents are copied to all of the client computers. 

Which two Group Policy preferences should you configure? (Each correct answer presents part of the solution. Choose two.) 

A. Shortcuts 

B. Network Shares 

C. Environment 

D. Folders 

E. Files 

Answer: D,E 

Explanation: 

Folder preference items allow you to create, update, replace, and delete folders and their contents. (To configure individual files rather than folders, see Files Extension.) Before you create a Folder preference item, you should review the behavior of each type of action possible with this extension. File preference items allow you to copy, modify the attributes of, replace, and delete files. (To configure folders rather than individual files, see Folders Extension.) Before you create a File preference item, you should review the behavior of each type of action possible with this extension. 


70-411 simulations

Actual 70-411 download:

Q165. Your network contains two Active Directory domains named contoso.com and adatum.com. 

The network contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the DNS Server server role installed. Server1 has a copy of the contoso.com DNS zone. 

You need to configure Server1 to resolve names in the adatum.com domain. The solution must meet the following requirements: 

Prevent the need to change the configuration of the current name servers that host zones for adatum.com. Minimize administrative effort. 

Which type of zone should you create? 

A. Secondary 

B. Stub 

C. Reverse lookup 

D. Primary 

Answer: B 

Explanation: 

When a zone that this DNS server hosts is a stub zone, this DNS server is a source only for information about the authoritative name servers for this zone. The zone at this server must be obtained from another DNS server that hosts the zone. This DNS server must have network access to the remote DNS server to copy the authoritative name server information about the zone. 

A stub zone is a copy of a zone that contains only necessary resource records (Start of Authority (SOA), Name Server (NS), and Address/Host (A) record) in the master zone and acts as a pointer to the authoritative name server. The stub zone allows the server to forward queries to the name server that is authoritative for the master zone without going up to the root name servers and working its way down to the server. While a stub zone can improve performance, it does not provide redundancy or load sharing. 


You can use stub zones to: 

Keep delegated zone information current. By updating a stub zone for one of its child zones regularly, the DNS server that hosts both the parent zone and the stub zone will maintain a current list of authoritative DNS servers for the child zone. 

Improve name resolution. Stub zones enable a DNS server to perform recursion using the stub zone's list of name servers, without having to query the Internet or an internal root server for the DNS namespace. 

Simplify DNS administration. By using stub zones throughout your DNS infrastructure, you can distribute a list of the authoritative DNS servers for a zone without using secondary zones. However, stub zones do not serve the same purpose as secondary zones, and they are not an alternative for enhancing redundancy and load sharing. 

There are two lists of DNS servers involved in the loading and maintenance of a stub zone: 

The list of master servers from which the DNS server loads and updates a stub zone. A master server may be a primary or secondary DNS server for the zone. In both cases, it will have a complete list of the DNS servers for the zone. 

The list of the authoritative DNS servers for a zone. This list is contained in the stub zone using name server (NS) resource records. 

When a DNS server loads a stub zone, such as widgets. tailspintoys.com, it queries the master servers, which can be in different locations, for the necessary resource records of the authoritative servers for the zone widgets. tailspintoys.com. The list of master servers may contain a single server or multiple servers, and it can be changed anytime. 

References: http: //technet.microsoft.com/en-us/library/cc771898.aspx http: //technet.microsoft.com/en-us/library/cc754190.aspx http: //technet.microsoft.com/en-us/library/cc730980.aspx 


Q166. Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012. 

You pre-create a read-only domain controller (P.QDC) account named RODC1. 

You export the settings of RODC1 to a file named Filel.txt. 

You need to promote RODC1 by using File1.txt. 

Which tool should you use? 

A. The Install-WindowsFeature cmdlet 

B. The Add-WindowsFeature cmdlet 

C. The Dism command 

D. The Install-ADDSDomainController cmdlet 

E. the Dcpromo command 

Answer: E 


Q167. Your company has a main office and a branch office. The main office is located in Seattle. The branch office is located in Montreal. Each office is configured as an Active Directory site. 

The network contains an Active Directory domain named adatum.com. The Seattle office contains a file server named Server1. The Montreal office contains a file server named Server2. 

The servers run Windows Server 2012 R2 and have the File and Storage Services server role, the DFS Namespaces role service, and the DFS Replication role service installed. 

Server1 and Server2 each have a share named Share1 that is replicated by using DFS Replication. 

You need to ensure that users connect to the replicated folder in their respective office when they connect to \\contoso.com\Share1. 

Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.) 

A. Create a replication connection. 

B. Create a namespace. 

C. Share and publish the replicated folder. 

D. Create a new topology. 

E. Modify the Referrals settings. 

Answer: B,C,E 

Explanation: 

To share a replicated folder and publish it to a DFS namespace Click Start, point to Administrative Tools, and then click DFS Management. In the console tree, under the Replication node, click the replication group that contains the replicated folder you want to share. In the details pane, on the Replicated Folders tab, right-click the replicated folder that you want to share, and then click Share and Publish in Namespace. In the Share and Publish Replicated Folder Wizard, click Share and publish the replicated folder in a 

namespace, and then follow the steps in the wizard. 

Note that: If you do not have an existing namespace, you can create one in the 

Namespace Path page in the Share and Publish Replicated Folder Wizard. To create the namespace, in the Namespace Path page, click Browse, and then click New Namespace. 

To create a namespace 

Click Start, point to Administrative Tools, and then click DFS Management. 

In the console tree, right-click the Namespaces node, and then click New Namespace. 

Follow the instructions in the New Namespace Wizard. 

To create a stand-alone namespace on a failover cluster, specify the name of a clustered file server instance on the Namespace Server page of the New Namespace Wizard. 

Important 

Do not attempt to create a domain-based namespace using the Windows Server 2008 mode unless the forest functional level is Windows Server 2003 or higher. Doing so can result in a namespace for which you cannot delete DFS folders, yielding the following error message: “The folder cannot be deleted. Cannot complete this function.” 

To share a replicated folder and publish it to a DFS namespace 

1. Click Start, point to Administrative Tools, and then click DFS Management. 

2. In the console tree, under the Replication node, click the replication group that contains the replicated folder you want to share. 

3. In the details pane, on the Replicated Folders tab, right-click the replicated folder that you want to share, and then click Share and Publish in Namespace. 

4. In the Share and Publish Replicated Folder Wizard, click Share and publish the replicated folder in a namespace, and then follow the steps in the wizard. 


"You need to ensure that users connect to the replicated folder in their respective office when they connect to \\contoso.com\Share1." 



Reference: http: //technet. microsoft. com/en-us/library/cc731531. aspx 

http: //technet. microsoft. com/en-us/library/cc772778%28v=ws. 10%29. aspx 

http: //technet. microsoft. com/en-us/library/cc732414. aspx 

http: //technet. microsoft. com/en-us/library/cc772379. aspx 

http: //technet. microsoft. com/en-us/library/cc732863%28v=ws. 10%29. aspx 

http: //technet. microsoft. com/en-us/library/cc725830. aspx 

http: //technet. microsoft. com/en-us/library/cc771978. aspx 


Q168. Your network contains an Active Directory domain named contoso.com. The domain 

contains a server named Server1 that runs Windows Server 2008 R2. 

You plan to test Windows Server 2012 R2 by using native-boot virtual hard disks (VHDs). 

You have a Windows image file named file1.wim. 

You need to add an image of a volume to file1.wim. 

What should you do? 

A. Run imagex.exe and specify the /append parameter. 

B. Run imagex.exe and specify the /export parameter. 

C. Run dism.exe and specify the /image parameter. 

D. Run dism.exe and specify the /append-image parameter. 

Answer: D 

Explanation: The Deployment Image Servicing and Management (DISM) tool is a command-line tool that enables the creation of Windows image (.wim) files for deployment in a manufacturing or corporate IT environment. The /Append-Image option appends a volume image to an existing .wim file allowing you to store many customized Windows images in a fraction of the space. When you combine two or more Windows image files into a single .wim, any files that are duplicated between the images are only stored once. 

Incorrect: 

Not A, Not B: Imagex has been retired and replaced by dism. 

Reference: Append a Volume Image to an Existing Image Using DISM 

https://technet.microsoft.com/en-us/library/hh824916.aspx