QUESTION 301

Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2 that run Windows Server 2012 R2. Server1 has the Group Policy Management feature installed. Server2 has the Print and Document Services server role installed. On Server2, you open Print Management and you deploy a printer named Printer1 by using a Group Policy object (GPO) named GPO1. When you open GPO1 on Server1, you discover that the Deployed Printers node does not appear. You need to view the Deployed Printers node in GPO1. What should you do?

 

A.

On Server1, modify the Group Policy filtering options of GPO1.

B.

On a domain controller, create a Group Policy central store.

C.

On Server2, install the Group Policy Management feature.

D.

On Server1, configure the security filtering of GPO1.

 

Correct Answer: C

Explanation:

Pre-Requisites

To use Group Policy for printer deployment you will need to have a Windows Active Directory domain, and this article assumes that your Domain Controller is a Windows 2008 R2 Server. You will also need the Print Services role installed on a server (can be on your DC), and you will be using the Print Management and Group Policy Management consoles to configure the various settings. Its assumed that you have already followed Part One and have one or more printers shared on your server with the necessary drivers, ready to deploy to your client computers.

The wording does not say if GPMC is installed on server 2, so I can only think that it does not deploy the GPO because it had no GPMC on server 2..

GPMC is not installed by default:

http://pipe2text.com/?page_id=1591

http://technet.microsoft.com/en-us/library/cc725932.aspx

 

 

QUESTION 302

Your network contains an Active Directory domain named contoso.com. All of the Applocker policy settings for the member servers are configured in a Group Policy object (GPO) named GPO1. A member server named Server1 runs Windows Server 2012 R2. On Server1, you test a new set of Applocker policy settings by using a local computer policy. You need to merge the local Applocker policy settings from Server1 into the Applocker policy settings of GPO1. What should you do?

 

A.

From Local Group Policy Editor on Server1, exportan .xml file. Import the .xml file by using Group

Policy Management Editor.

B.

From Local Group Policy Editor on Server1, exportan .inf file. Import the .inf file by using Group Policy

Management Editor.

C.

From Server1, run the Set-ApplockerPolicy cmdlet.

D.

From Server1, run the New-ApplockerPolicy cmdlet.

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/ee791816(v=ws.10).aspx

The Set-AppLockerPolicy cmdlet sets the specified Group Policy Object (GPO) to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local GPO is the default. When the Merge parameter is used, rules in the specified AppLocker policy will be merged with the AppLocker rules in the target GPO specified in the LDAP path. The merging of policies will remove rules with duplicate rule IDs, and the enforcement setting specified by the AppLocker policy in the target GPO will be preserved. If the Merge parameter is not specified, then the new policy will overwrite the existing policy.

 

QUESTION 303

Your network contains an Active Directory domain named contoso.com. You have a Group Policy object (GPO) named GP1 that is linked to the domain. GP1 contains a software restriction policy that blocks an Application named App1. You have a workgroup computer named Computer1 that runs Windows 8. A local Group Policy on Computer1 contains an Application control policy that allows App1. You join Computer1 to the domain. You need to prevent App1 from running on Computer1.

What should you do?

 

A.

From Group Policy Management, add an Application control policy to GP1.

B.

From Group Policy Management, enable the Enforced option on GP1.

C.

In the local Group Policy of Computer1, configure a software restriction policy.

D.

From Computer1, run gpupdate /force.

 

Correct Answer: A

Explanation:

AppLocker policies take precedence over policies generated by SRP on computers that are running an operating system that supports AppLocker

AppLocker policies in the GPO are applied, and they supersede the policies generated by SRP in the GPO and local AppLocker policies or policies generated by SRP.

http://technet.microsoft.com/en-us/library/ee791851.aspx

 

 

QUESTION 304

Your network contains an Active Directory domain named contoso.com. The domain contains an Application server named Server1. Server1 runs Windows Server 2012 R2. Server1 is configured as an FTP server. Client computers use an FTP Application named App1.exe. App1.exe uses TCP port 21 as the control port and dynamically requests a data port. On Server1, you create a firewall rule to allow connections on TCP port 21. You need to configure Server1 to support the client connections from App1.exe. What should you do?

 

A.

Run netsh firewall addportopening TCP 21 dynamicftp.

B.

Create a tunnel connection security rule.

C.

Create an outbound firewall rule to allow App1.exe.

D.

Run netshadvfirewall set global statefulftp enable.

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/cc771920%28v=ws.10%29.aspx#BKMK_set_2a

The netsh firewall context is supplied only for backward compatibility. We recommend that you do not use this context on a computer that is running Windows Vista or a later version of Windows

In the netsh advfirewall firewall context, the add command only has one variation, the add rule command.

Netsh advfirewall set global statefulftp:

Configures how Windows Firewall with Advanced Security handles FTP traffic that uses an initial connection on one port to request a data connection on a different port.

When statefulftp is enabled, the firewall examines the PORT and PASV requests for these other port numbers and then allows the corresponding data connection to the port number that was requested.

Syntax

set global statefulftp { enable | disable | notconfigured } < /span>

Parameters

statefulftp can be set to one of the following values:

enable The firewall tracks the port numbers specified in PORT command requests and in the responses to PASV requests, and then allows the incoming FTP data traffic entering on the requested port number.

disable

This is the default value. The firewall does not track outgoing PORT commands or PASV responses, and so incoming data connections on the PORT or PASV requested port is blocked as an unsolicited incoming connection.

notconfigured

Valid only when netsh is configuring a GPO by using the set store command.

 

 

QUESTION 305

HOTSPOT

Your network contains an Active Directory domain named contoso.com. The domain contains an organizational unit (OU) named OU1 as shown in the OU1 exhibit. (Click the Exhibit button.)

 

clip_image002

 

The membership of Group1 is shown in the Group1 exhibit. (Click the Exhibit button.)

 

clip_image004

 

You configure GPO1 to prohibit access to Control Panel. GPO1 is linked to OU1 as shown in the GPO1 exhibit. (Click the Exhibit button.)

 

clip_image006

 

Select Yes if the statement can be shown to be true based on the available information; otherwise select No. Each correct selection is worth one point.

 

clip_image008

 

Correct Answer:

 

clip_image010

 

 

QUESTION 306

Your company has a main office and four branch offices. The main office contains a server named Server1 that runs Windows Server 2012 R2. The IP configuration of each office is configured as shown in the following table.

 

clip_image012

 

You need to add a single static route on Server1 to ensure that Server1 can communicate with the hosts on all of the subnets. Which command should you run?

 

A.

route.exe add -p 192.168.0.0 mask 255.255.248.0 172.31.255.254

B.

route.exe add -p 192.168.12.0 mask 255.255.252.0 172.31.255.254

C.

route.exe add -p 192.168.8.0 mask 255.255.252.0 172.31.255.254

D.

route.exe add -p 192.168.12.0 mask 255.255.255.0 172.31.255.254

 

Correct Answer: B

 

 

 

 

 

 

 

QUESTION 307

You work as an administrator at ENSUREPASS.com. The ENSUREPASS.com network consists of a single domain named ENSUREPASS.com. All servers in the ENSUREPASS.com domain, including domain controllers, have Windows Server 2012 R2 installed.

You have created and linked a new Group Policy object (GPO) to an organizational unit (OU), named ENSUREPASSServ, which host the computer accounts for servers in the ENSUREPASS.com domain.

You have been tasked with adding a group to a local group on all servers in the ENSUREPASS.com domain. This group should not, however, be removed from the local group.

Which of the following actions should you take?

 

A.

You should consider adding a restricted group.

B.

You should consider adding a global group.

C.

You should consider adding a user group.

D.

You should consider adding a server group.

 

Correct Answer: A

Explanation:

Restricted groups in Group policies are a simple way of delegating permissions or group membership centrally to any domain computer or server. Using restricted groups it is easier to enforce the lowest possible permissions to any given account.

Computer Configuration\Windows Settings\Security Settings\Restricted Groups

Restricted groups allow an administrator to define two properties for security-sensitive groups (that is, “restricted” groups). The two properties are Members and Member Of .

The Members list defines who should and should not belong to the restricted group.

The Member Of list specifies which other groups the restricted group should belong to. When a restricted Group Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list which is not currently a member of the restricted group is added. The Restricted Groups folder is available only in Group Policy objects associated with domains, OUs, and sites. The Restricted Groups folder does not appear in the Local Computer Policy object. If a Restricted Group is defined such that it has no members (that is, the Members list is empty), then all members of the group are removed when the policy is enforced on the system. If the Member Of list is empty no changes are made to any groups that the restricted group belongs to. In short, an empty Members list means the restricted group should have no members while an empty Member Of list means “don’t care” what groups the restricted group belongs to.

 

clip_image013

 

http://technet.microsoft.com/en-us/library/cc957640.aspx

 

 

QUESTION 308

Your network contains two Active Directory forests named contoso.com and adatum.com. Each forest contains one domain. A two-way forest trust exists between the forests. The forests use the address spaces shown in the following table.

 

clip_image015

 

From a computer in the contoso.com domain, you can perform reverse lookups for the servers in the contoso.com domain, but you cannot perform reverse lookups for the servers in the adatum.com domain. From a computer in the adatum.com domain, you can perform reverse lookups for the servers in both domains. You need to ensure that you can perform reverse lookups for the servers in the adatum.com domain from the computers in the contoso.com domain. What should you create?

 

A.

a delegation

B.

a trust point

C.

a conditional forwarder

D.

a GlobalNames zone

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/cc757172(v=ws.10).aspx

Conditional forwarders are DNS servers that only forward queries for specific domain names. Instead of forwarding all queries it cannot resolve locally to a forwarder, a conditional forwarder is configured to forward a query to specific forwarders based on the domain name contained in the query. Forwarding according to domain names improves conventional forwarding by adding a name-based condition to the forwarding process.

The conditional forwarder setting for a DNS server consists of the following:

The domain names for which the DNS server will forward queries.

One or more DNS server IP addresses for each domain name specified.

When a DNS client or server performs a query operation against a DNS server, the DNS server looks to see if the query can be resolved using its own zone data or the data stored in its cache. If the DNS server is configured to forward for the domain name designated in the query, then the query is forwarded to the IP address of a forwarder associated with the domain name. For example, in the following figure, each of the queries for the domain names is forwarded to a DNS server associated with the domain name.

 

 

QUESTION 309

Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2 that run Windows Server 2012 R2. Server2 establishes an IPSec connection to Server1. You need to view which authentication method was used to establish the initial IPSec connection. What should you do?

 

A.

From Windows Firewall with Advanced Security, view the quick mode security association.

B.

From Event Viewer, search the Application Log for events that have an ID of 1704.

C.

From Event Viewer, search the Security Log for events that have an ID of 4672.

D.

From Windows Firewall with Advanced Security, view the main mode security association.

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/dd448497(v=ws.10).aspx

Main mode negotiation establishes a secure channel between two computers by determining a set of cryptographic protection suites, exchanging keying material to establish a shared secret key, and authenticating computer and user identities. A security association (SA) is the information maintained about that secure channel on the local computer so that it can use the information for future network traffic to the remote computer. You can monitor main mode SAs for information like which peers are currently connected to this computer and which protection suite was used to form the SA.

To get to this view

In the Windows Firewall with Advanced Security MMC snap-in, expand Monitoring, expand Security Associations, and then click Main Mode.

The following information is available in the table view of all main mode SAs. To see the information for a single main mode SA, double-click the SA in the list.

Main mode SA information

You can add, remove, reorder, and sort by these columns in the Results pane:

Local Address: The local computer IP address.

Remote Address: The remote computer or peer IP address.

1st Authentication Method: The authentication method used to create the SA.

1st Authentication Local ID:: The authenticated identity of the local computer used in first authentication.

1st Authentication Remote ID: The authenticated identity of the remote computer used in first authentication.

2nd Authentication Method: The authentication method used in the SA.

2nd Authentication Local ID:: The authenticated identity of the local computer used in second authentication.

2nd Authentication Remote ID: The authenticated identity of the remote computer used in second authentication.

Encryption: The encryption method used by the SA to secure quick mode key exchanges.

Integrity: The data integrity method used by the SA to secure quick mode key exchanges.

Key Exchange: The Diffie-Hellman group used to create the main mode SA.

 

 

QUESTION 310

HOTSPOT

You have a Group Policy object (GPO) named Server Audit Policy. The settings of the GPO are shown in the Settings exhibit. (Click the Exhibit button.)

 

clip_image017

 

The scope of the GPO is shown in the Scope exhibit. (Click the Exhibit button.)

 

 

clip_image019

 

The domain contains a group named Group1. The membership of Group1 is shown in the Group1 exhibit. (Click the Exhibit button.)

 

clip_image021

 

Select Yes if the statement can be shown to be true based on the available information; otherwise select No. Each correct selection is worth one point.

 

clip_image023

 

Correct Answer:

 

clip_image025

 

Free VCE & PDF File for Microsoft 70-410 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…