QUESTION 41

Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. All domain controllers run Windows Server 2012 R2.

 

The domain contains two domain controllers. The domain controllers are configured as shown in the following table.

 

clip_image002

 

Active Directory Recycle Bin is enabled.

 

You discover that a support technician accidentally removed 100 users from an Active Directory group named Group1 an hour ago.

 

You need to restore the membership of Group1.

 

What should you do?

 

A.

Recover the items by using Active Directory Recycle Bin.

B.

Modify the is Recycled attribute of Group1.

C.

Perform tombstone reanimation.

D.

Perform an authoritative restore.

 

Correct Answer: A

Explanation:

Active Directory Recycle Bin helps minimize directory service downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects without restoring Active Directory data from backups, restarting Active Directory Domain Services (AD DS), or rebooting domain controllers.

When you enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes of the deleted Active Directory objects are preserved and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion. For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion, within and across domains.

 

 

 

 

 

 

 

 

 

 

 

 

QUESTION 42

Your network contains an Active Directory domain named contoso.com. The domain contains a read-only domain controller (RODC) named RODC1.

 

You create a global group named RODC_Admins.

 

You need to provide the members of RODC_Admins with the ability to manage the hardware and the software on RODC1. The solution must not provide RODC_Admins with the ability to manage Active Directory objects.

 

What should you do?

 

A.

From Active Directory Site and Services, configure the Security settings of the RODC1 server object.

B.

From Windows PowerShell, run the Set-ADAccountControlcmdlet.

C.

From a command prompt, run the dsmgmt local roles command.

D.

From Active Directory Users and Computers, configure the Member Of settings of the RODC1 account.

 

Correct Answer: C

Explanation:

RODC: using the dsmgmt.exe utility to manage local administrators One of the benefits of RODC is that you can add local administrators who do not have full access to the domain administration. This gives them the ability to manage the server but not add or change active directory objects unless those roles are delegated. Adding this type of user is done using the dsmdmt.exe utility at the command prompt.

 

 

QUESTION 43

DRAG DROP

Your network contains an Active Directory forest named contoso.com. All domain controllers run Windows Server 2008 R2.

 

The schema is upgraded to Windows Server 2012 R2.

 

Contoso.com contains two servers. The servers are configured as shown in the following table.

 

clip_image004

 

Server1 and Server2 host a load-balanced application pool named AppPool1.

 

You need to ensure that AppPool1 uses a group Managed Service Account as its identity.

 

Which three actions should you perform?

 

To answer, move the three appropriate actions from the list of actions to the answer area and arrange them in the correct order.

 

clip_image006

 

Correct Answer:

clip_image008

 

 

QUESTION 44

Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1 that runs Windows Server 2012 R2.

 

You create an Active Directory snapshot of DC1 each day.

 

You need to view the contents of an Active Directory snapshot from two days ago.

 

What should you do first?

 

A.

Run the dsamain.exe command.

B.

Stop the Active Directory Domain Services (AD DS) service.

C.

Start the Volume Shadow Copy Service (VSS).

D.

Run the ntdsutil.exe command.

 

Correct Answer: A

Explanation:

Dsamain.exe exposes Active Directory data that is stored in a snapshot or backup as a Lightweight Directory Access Protocol (LDAP) server.

http://technet.microsoft.com/en-us/library/cc772168.aspx

 

 

QUESTION 45

Your netwo
rk contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2.

 

In a remote site, a support technician installs a server named DC10 that runs Windows Server 2012 R2. DC10 is currently a member of a workgroup.

 

You plan to promote DC10 to a read-only domain controller (RODC).

 

You need to ensure that a user named Contoso\User1 can promote DC10 to a RODC in the contoso.com domain. The solution must minimize the number of permissions assigned to User1.

 

What should you do?

 

A.

From Active Directory Users and Computers, run the Delegation of Control Wizard on the contoso.com domain object.

B.

From Active Directory Administrative Center, pre-create an RODC computer account.

C.

From Ntdsutil, run the local roles command.

D.

Join DC10 to the domain. Run dsmod and specify the /server switch.

 

Correct Answer: B

Explanation:

A staged read only domain controller (RODC) installation works in two discrete phases:

1. Staging an unoccupied computer account

2. Attaching an RODC to that account during promotion

Reference:

Install a Windows Server 2012 R2 Active Directory Read-Only Domain Controller (RODC)

 

 

QUESTION 46

Your network contains an Active Directory domain named contoso.com. The domain contains more than 100 Group Policy objects (GPOs). Currently, there are no enforced GPOs.

 

You have two GPOs linked to an organizational unit (OU) named OU1.

 

You need to change the precedence order of the GPOs.

 

What should you use?

 

A.

Dcgpofix

B.

Get-GPOReport

C.

Gpfixup

D.

Gpresult

E.

Gpedit. msc

F.

Import-GPO

G.

Restore-GPO

H.

Set-GPInheritance

I.

Set-GPLink

J.

Set-GPPermission

K.

Gpupdate

L.

Add-ADGroupMember

 

Correct Answer: I

Explanation:

The Set-GPLinkcmdlet sets the properties of a GPO link.

You can set the following properties:

Enabled. If the GPO link is enabled, the settings of the GPO are applied when Group Policy is processed for the site, domain or OU.

Enforced. If the GPO link is enforced, it cannot be blocked at a lower-level (in the Group Policy processing hierarchy) container.

Order. The order specifies the precedence that the settings of the GPO take over conflicting settings in other GPOs that are linked (and enabled) to the same site, domain, or OU.

http://technet.microsoft.com/en-us/library/ee461022.aspx

 

 

QUESTION 47

Your network contains an Active Directory domain named contoso.com. The domain contains more than 100 Group Policy objects (GPOs). Currently, there are no enforced GPOs.

 

A network administrator accidentally deletes the Default Domain Policy GPO.

 

You do not have a backup of any of the GPOs.

 

You need to recreate the Default Domain Policy GPO.

 

What should you use?

 

A.

Dcgpofix

B.

Get-GPOReport

C.

Gpfixup

D.

Gpresult

E.

Gpedit. msc

F.

Import-GPO

G.

Restore-GPO

H.

Set-GPInheritance

I.

Set-GPLink

J.

Set-GPPermission

K.

Gpupdate

L.

Add-ADGroupMember

 

Correct Answer: A

Explanation:

Dcgpofix

Restores the default Group Policy objects to their original state (that is, the default state after initial installation).

http://technet.microsoft.com/en-us/library/hh875588(v=ws.10).aspx

 

 

QUESTION 48

Your network contains an Active Directory domain named contoso.com. The domain contains more than 100 Group Policy objects (GPOs). Currently, there are no enforced

GPOs.

 

The domain contains a top-level organizational unit (OU) for each department. A group named Group1 contains members from each department.

 

You have a GPO named GPO1 that is linked to the domain.

 

You need to configure GPO1 to apply settings to Group1 only.

 

What should you use?

 

A.

Dcgpofix

B.

Get-GPOReport

C.

Gpfixup

D.

Gpresult

E.

Gpedit. msc

F.

Import-GPO

G.

Restore-GPO

H.

Set-GPInheritance

I.

Set-GPLink

J.

Set-GPPermission

K.

Gpupdate

L.

Add-ADGroupMember

 

Correct Answer: J

Explanation:

Set-GPPermission grants a level of permissions to a security principal (user, security group, or computer) for one GPO or all the GPOs in a domain. You use the TargetName and TargetType parameters to specify a user, security group, or computer for which to set the permission level.

Replace <SwitchParameter>

Specifies that the existing permission level for the group or user is removed before the new permission level is set. If a security principal is already granted a permission level that is higher than the specified permission level and you do not use the Replace parameter, no change is made.

 

http://technet.microsoft.com/en-us/library/ee461038.aspx

 

 

QUESTION 49

Your network contains an Active Directory domain named contoso.com. The domain contains more than 100 Group Policy objects (GPOs). Currently, there are no enforced GPOs.

 

The domain is renamed to adatum.com.

 

Group Policies no longer function correctly.

 

You need to ensure that the existing GPOs are applied to users and computers. You want to achieve this goal by using the minimum amount of administrative effort.

 

What should you use?

 

A.

Dcgpofix

B.

Get-GPOReport

C.

Gpfixup

D.

Gpresult

E.

Gpedit. msc

F.

Import-GPO

G.

Restore-GPO

H.

Set-GPInheritance

I.

Set-GPLink

J.

Set-GPPermission

K.

Gpupdate

L.

Add-ADGroupMember

 

Correct Answer: C

Explanation:

You can use the gpfixup command-line tool to fix the dependencies that Group Policy objects (GPOs) and Group Policy links in Active Directory Domain Services (AD DS) have on Domain Name System (DNS) and NetBIOS names after a domain rename operation.

http://technet.microsoft.com/en-us/library/hh852336(v=ws.10).aspx

 

 

QUESTION 50

Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1
has the Remote Access server role installed.

 

You log on to Server1 by using a user account named User2.

 

From the Remote Access Management Console, you run the Getting Started Wizard and you receive a warning message as shown in the exhibit. (Click the Exhibit button.)

 

clip_image010

 

You need to ensure that you can configure DirectAccess successfully. The solution must minimize the number of permissions assigned to User2.

 

To which group should you add User2?

 

A.

Enterprise Admins

B.

Administrators

C.

Account Operators

D.

Server Operators

 

Correct Answer: B

Explanation:

You must have privileges to create WMI filters in the domain in which you want to create the filter. Permissions can be changed by adding a user to the Administrators group.

 

Administrators (A built-in group)

After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group. The Administrators group has built-in capabilities that give its members full control over the system. The group is the default owner of any object that is created by a member of the group. This example logs in as a test user who is not a domain user or an administrator on the server. This results in the error specifying that DA can only be configured by a user with local administrator permissions.

 

http://technet.microsoft.com/en-us/library/cc780416(v=ws.10).aspx

http://technet.microsoft.com/en-us/library/cc775497(v=ws.10).aspx

 

Free VCE & PDF File for Microsoft 70-411 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…