Get Full Version of the Exam
Your network contains an Active Directory domain named contoso.com. The domain contains 30 user accounts that are used for network administration. The user accounts are members of a domain global group named Group1.
You identify the security requirements for the 30 user accounts as shown in the following table.
You need to identify which settings must be implemented by using a Password Settings object (PSO) and which settings must be implemented by modifying the properties of the user accounts.
What should you identify?
To answer, configure the appropriate settings in the dialog box in the answer area.
Your network contains 25 Web servers that run Windows Server 2012 R2. You need to configure auditing policies that meet the following requirements:
Generate an event each time a new process is created.
Generate an event each time a user attempts to access a file share. Which two auditing policies should you configure?
To answer, select the appropriate two auditing policies in the answer area.
Your network contains an Active Directory domain named contoso.com.
You need to create a certificate template for the BitLocker Drive Encryption (BitLocker) Network Unlock feature.
Which Cryptography setting of the certificate template should you modify? To answer, select the appropriate setting in the answer area.
Your network contains an Active Directory domain named contoso.com. The domain contains a virtual machine named Server1 that runs Windows Server 2012 R2.
Server1 has a dynamically expanding virtual hard disk that is mounted to drive E.
You need to ensure that you can enable BitLocker Drive Encryption (BitLocker) on drive E. Which command should you run?
manage-bde -protectors -add c: -startup e:
manage-bde -lock e:
manage-bde -protectors -add e: -startupkey c:
manage-bde -on e:
Correct Answer: D
Encrypts the drive and turns on BitLocker. Example:
The following example illustrates using the -on command to turn on BitLocker for drive C and add a recovery password to the drive.
manage-bde -on C: -recoverypassword
You have a file server named Server1 that runs Windows Server 2012 R2.
A user named User1 is assigned the modify NTFS permission to a folder named C:\shares and all of the subfolders of C:\shares.
On Server1, you open File Server Resource Manager as shown in the exhibit. (Click the Exhibit button.)
To answer, complete each statement according to the information presented in the exhibit. Each correct selection is worth one point.
Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1 that runs Windows Server 2012 R2.
You view the effective policy settings of Server1 as shown in the exhibit. (Click the Exhibit button.)
On Server1, you have a folder named C:\Share1 that is shared as Share1. Share1 contains
confidential data. A group named Group1 has full control of the content in Share1.
You need to ensure that an entry is added to the event log whenever a member of Group1 deletes a file in Share1.
What should you configure?
the Audit File Share setting of Servers GPO
the Sharing settings of C:\Share1
the Audit File System setting of Servers GPO
the Security settings of C:\Share1
Correct Answer: D
You can use Computer Management to track all connections to shared resources on a Windows Server 2008 R2 system.
Whenever a user or computer connects to a shared resource, Windows Server 2008 R2 lists a connection in the Sessions node.
File access, modification and deletion can only be tracked, if the object access auditing is enabled you can see the entries in event log.
To view connections to shared resources, type net session at a command prompt or follow these steps:
In Computer Management, connect to the computer on which you created the shared resource. In the console tree, expand System Tools, expand Shared Folders, and then select Sessions. You can now view connections to shares for users and computers.
To enable folder permission auditing, you can follow the below steps: Click start and run quot;secpol. mscquot; without quotes.
Open the Local Policies\Audit Policy
Enable the Audit object access for quot;Successquot; and quot;Failurequot;.
Go to target files and folders, right click the folder and select properties. Go to Security Page and click Advanced.
Click Auditing and Edit.
Click add, type everyone in the Select User, Computer, or Group. Choose Apply onto: This folder, subfolders and files.
Tick on the box quot;Change permissionsquot; Click OK.
After you enable security auditing on the folders, you should be able to see the folder permission changes in the server#39;s Security event log. Task Category is File System. http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/13779c78-0c73-4477- 8014-f2eb10f3f10f/
http://technet.microsoft.com/en-us/library/cc753927(v=ws.10).aspx http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/13779c78-0c73-4477- 8014-f2eb10f3f10f/
http://support.microsoft.com/kb/300549 http://www.windowsitpro.com/article/permissions/auditing-folder-permission-changes http://www.windowsitpro.com/article/permissions/auditing-permission-changes-on-a-folder
You have a failover cluster that contains five nodes. All of the nodes run Windows Server 2012 R2. All of the nodes have BitLocker Drive Encryption (BitLocker) enabled.
You enable BitLocker on a Cluster Shared Volume (CSV).
You need to ensure that all of the cluster nodes can access the CSV. Which cmdlet should you run next?
Correct Answer: B
Add an Active Directory Security Identifier (SID) to the CSV disk using the Cluster Name Object
(CNO) The Active Directory protector is a domain security identifier (SID) based protector for protecting clustered volumes held within the Active Directory infrastructure. It can be bound to a user account, machine account or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. For the cluster service to selfmanage.
BitLocker enabled disk volumes, an administrator must add the Cluster Name Object (CNO), which is the Active Directory identity associated with the Cluster Network name, as a BitLocker protector to the target disk volumes. Add-BitLockerKeyProtector lt;drive letter or CSV mount pointgt;
– ADAccountOrGroupProtector ?ADAccountOrGroup $cno
Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2.
The domain contains an Edge Server named Server1. Server1 is configured as a DirectAccess server. Server1 has the following settings:
You run the Remote Access Setup wizard as shown in the following exhibit. (Click the Exhibit button.)
You need to ensure that client computers on the Internet can establish DirectAccess connections to Server1.
Which additional name suffix entry should you add from the Remote Access Setup wizard?
A Name Suffix value of dal.contoso.com and a blank DNS Server Address value
A Name Suffix value of Server1.contoso.com and a DNS Server Address value of 18.104.22.168
A Name Suffix value of da1.contoso.com and a DNS Server Address value of 22.214.171.124
A Name Suffix value of Server1.contoso.com and a blank DNS Server Address value
Correct Answer: A
Split-brain DNS is the use of the same DNS domain for both Internet and intranet resources. For example, the Contoso Corporation is using split brain DNS; contoso.com is the domain name for intranet resources and Internet resources. Internet users use http://www.contoso.com to access Contoso#39;s public Web site and Contoso employees on the Contoso intranet use http://www.contoso.com to access Contoso#39;s intranet Web site. A Contoso employee with their laptop that is not a DirectAccess client on the intranet that accesses http: //www.contoso.com sees the intranet Contoso Web site. When they take their laptop to the local coffee shop and access that same URL, they will see the public Contoso Web site.
When a DirectAccess client is on the Internet, the Name Resolution Policy Table (NRPT) sends DNS name queries for intranet resources to intranet DNS servers. A typical NRPT for DirectAccess will have a rule for the namespace of the organization, such as contoso.com for the Contoso Corporation, with the Internet Protocol version 6 (IPv6) addresses of intranet DNS servers. With just this rule in the NRPT, when a user on a DirectAccess client on the Internet attempts to access the uniform resource locator (URL) for their Web site (such as http:
//www.contoso.com), they will see the intranet version. Because of this rule, they will never see the public version of this URL when they are on the Internet.
For split-brain DNS deployments, you must list the FQDNs that are duplicated on the Internet and intranet and decide which resources the DirectAccess client should reach, the intranet version or the public (Internet) version. For each name that corresponds to a resource for which you want DirectAccess clients to reach the public version, you must add the corresponding FQDN as an exemption rule to the NRPT for your DirectAccess clients. Name suffixes that do not have corresponding DNS servers are treated as exemptions.
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2.
You enable and configure Routing and Remote Access (RRAS) on Server1. You create a user account named User1.
You need to ensure that User1 can establish VPN connections to Server1. What should you do?
Create a network policy.
Create a connection request policy.
Add a RADIUS client.
Modify the members of the Remote Management Users group.
Correct Answer: A
Network policies are sets of conditions, constraints, and settings that allow you to designate who is authorized to connect to the network and the circumstances under which they can or cannot connect.
Network policies can be viewed as rules. Each rule has a set of conditions and settings. Configure your VPN server to use Network Access Protection (NAP) to enforce health requirement policies
http://technet.microsoft.com/en-us/library/hh831683.aspx http://technet.microsoft.com/en-us/library/cc754107.aspx http://technet.microsoft.com/en-us/library/dd314165(v=ws.10).aspx http://technet.microsoft.com/en-us/windowsserver/dd448603.aspx http://technet.microsoft.com/en-us/library/dd314165(v=ws.10).aspx http://technet.microsoft.com/en-us/library/dd469733.aspx http://technet.microsoft.com/en-us/library/dd469660.aspx http://technet.microsoft.com/en-us/library/cc753603.aspx http://technet.microsoft.com/en-us/library/cc754033.aspx http://technet.microsoft.com/en-us/windowsserver/dd448603.aspx
You have a DNS server named Server1.
Server1 has a primary zone named contoso.com.
Zone Aging/Scavenging is configured for the contoso.com zone.
One month ago, an administrator removed a server named Server2 from the network.
You discover that a static resource record for Server2 is present in contoso.com. Resource records for decommissioned client computers are removed automatically from contoso.com.
You need to ensure that the static resource records for all of the servers are removed automatically from contoso.com.
What should you modify?
The Expires after value of contoso.com
The Record time stamp value of the static resource records
The time-to-live (TTL) value of the static resource records
The Security settings of the static resource records
Correct Answer: B
Reset and permit them to use a current (non-zero) time stamp value. This enables these records to become aged and scavenged.
You can use this procedure to change how a specific resource record is scavenged. A stale record is a record where both the No-Refresh Interval and Refresh Interval have passed without the time stamp updating.
Depending on the how the resource record was originally added to the zone, do one of the following:
If the record was added dynamically using dynamic update, clear the Delete this record when it becomes stale check box to prevent its aging or potential removal during the scavenging process. If dynamic updates to this record continue to occur, the Domain Name System (DNS) server will always reset this check box so that the dynamically updated record can be deleted.
If you added the record statically, select the Delete this record when it becomes stale check box to permit its aging or potential removal during the scavenging process.
Typically, stale DNS records occur when a computer is permanently removed from the network. Mobile users who abnormally disconnect from the network can also cause stale DNS records. To help manage stale records, Windows adds a time stamp to dynamically added resource records in primary zones where aging and scavenging are enabled. Manually added records are time stamped with a value of 0, and they are automatically excluded from the aging and scavenging process.
To enable aging and scavenging, you must do the following:
Resource records must be either dynamically added to zones or manually modified to be used in aging and scavenging operations.
Scavenging and aging must be enabled both at the DNS server and on the zone. Scavenging is disabled by default.
DNS scavenging depends on the following two settings:
No-refresh interval: The time between the most recent refresh of a record time stamp and the moment when the time stamp can be refreshed again. When scavenging is enabled, this is set to 7 days by default.
Refresh interval: The time between the earliest moment when a record time stamp can be refreshed and the earliest moment when the record can be scavenged. The refresh interval must be longer than the maximum record refresh period. When scavenging is enabled, this is set to 7 days by default.
A DNS record becomes eligible for scavenging after both the no-refresh and refresh intervals have elapsed. If the default values are used, this is a total of 14 days. http://technet.microsoft.com/en-us/library/cc759204(v=ws.10).aspx http://technet.microsoft.com/en-us/library/cc759204(v=ws.10).aspx http://technet.microsoft.com/en-us/library/cc771570.aspx