Exam Code: 70-412 (Practice Exam Latest Test Questions VCE PDF)
Exam Name: Configuring Advanced Windows Server 2012 Services
Certification Provider: Microsoft
Free Today! Guaranteed Training- Pass 70-412 Exam.
2016 Mar 70-412 Study Guide Questions:
Q166. Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2.
You are creating a central access rule named TestFinance that will be used to grant members of the Authenticated users group access to a folder stored on a Microsoft SharePoint Server 2013 server.
You need to ensure that the permissions are granted when the rule is published.
What should you do?
A. Set the Permissions to Use the following permissions as proposed permissions.
B. Set the Permissions to Use following permissions as current permissions.
C. Add a Resource condition to the current permissions entry for the Authenticated Users principal.
D. Add a User condition to the current permissions entry for the Authenticated Users principal.
To create a central access rule (see step 5 below): In the left pane of the Active Directory Administrative Center, click Tree View, select Dynamic Access Control, and then click Central Access Rules. Right-click Central Access Rules, click New, and then click Central Access Rule. In the Name field, type Finance Documents Rule. In the Target Resources section, click Edit, and in the Central Access Rule dialog box, click Add a condition. Add the following condition: [Resource] [Department] [Equals] [Value] [Finance], and then click OK. In the Permissions section, select Use following permissions as current permissions, click Edit, and in the Advanced Security Settings for Permissions dialog box click Add.
Note (not A): Use the following permissions as proposed permissions option lets you create the policy in staging.
6. In the Permission entry for Permissions dialog box, click Select a principal, type Authenticated Users, and then click OK.
Not A. Proposed permissions enable an administrator to more accurately model the impact
of potential changes to access control settings without actually changing them.
Reference: Deploy a Central Access Policy (Demonstration Steps)
Q167. You have 20 servers that run Windows Server 2012 R2.
You need to create a Windows PowerShell script that registers each server in Windows Azure Backup and sets an encryption passphrase.
Which two PowerShell cmdlets should you run in the script? (Each correct answer presents part of the solution. Choose two.)
E. Set OBMachineSetting
D. Start-OBRegistration Registers the current computer with Windows Azure Online Backup using the credentials (username and password) created during enrollment.
E. The Set-OBMachineSetting cmdlet sets a OBMachineSetting object for the server that includes proxy server settings for accessing the internet, network bandwidth throttling settings, and the encryption passphrase that is required to decrypt the files during recovery to another server.
Not C. TheAdd-OBFileSpeccmdlet adds theOBFileSpecobject, which specifies the items to
include or exclude from a backup, to the backup policy (OBPolicyobject).
TheOBFileSpecobject can include or exclude multiple files, folders, or volumes. T Reference: Start-OBRegistration; Set OBMachineSetting http://technet.microsoft.com/en-us/library/hh770398.aspx http://technet.microsoft.com/en-us/library/hh770409.aspx
Q168. Your network contains two Active Directory forests named contoso.com and adatum.com. All of the domain controllers in both of the forests run Windows Server 2012 R2. The adatum.com domain contains a file server named Servers.
Adatum.com has a one-way forest trust to contoso.com.
A contoso.com user name User10 attempts to access a shared folder on Servers and receives the error message shown in the exhibit. (Click the Exhibit button.)
You verify that the Authenticated Users group has Read permissions to the Data folder.
You need to ensure that User10 can read the contents of the Data folder on Server5 in the
What should you do?
A. Grant the Other Organization group Read permissions to the Data folder.
B. Modify the list of logon workstations of the contoso\User10 user account.
C. Enable the Netlogon Service (NP-In) firewall rule on Server5.
D. Modify the permissions on the Server5 computer object in Active Directory.
* To resolve the issue, I had to open up AD Users and Computers --> enable Advanced Features --> Select the Computer Object --> Properties --> Security --> Add the Group I want to allow access to the computer (in this case, DomainA\Domain users) and allow "Allowed to Authenticate". Once I did that, everything worked:
* For users in a trusted Windows Server 2008 or Windows Server 2003 domain or forest to be able to access resources in a trusting Windows Server 2008 or Windows Server 2003 domain or forest where the trust authentication setting has been set to selective authentication, each user must be explicitly granted the Allowed to Authenticate permission on the security descriptor of the computer objects (resource computers) that reside in the trusting domain or forest.
Reference: Grant the Allowed to Authenticate Permission on Computers in the Trusting Domain or Forest.
Q169. DRAG DROP
You have two failover clusters named Cluster1 and Cluster2. All of the nodes in both of the
clusters run Windows Server 2012 R2.
Cluster1 hosts two virtual machines named VM1 and VM2.
You plan to configure VM1 and VM2 as nodes in a new failover cluster named Cluster3.
You need to configure the witness disk for Cluster3 to be hosted on Cluster2.
Which three actions should you perform in sequence?
To answer, move the appropriate three actions from the list of actions to the answer area
and arrange them in the correct order.
Q170. Your network contains an Active Directory domain named contoso.com. The domain contains a member server named Server1 that has the Active Directory Federation Services server role installed. All servers run Windows Server 2012.
You complete the Active Directory Federation Services Configuration Wizard on Server1. You need to ensure that client devices on the internal network can use Workplace Join. Which two actions should you perform on Server1? (Each correct answer presents part of the solution. Choose two.)
A. Run Enable-AdfsDeviceRegistration -PrepareActiveDirectory.
B. Edit the multi-factor authentication global authentication policy settings.
C. Run Enable-AdfsDeviceRegistration.
D. Run Set-AdfsProxyProperties HttpPort 80.
E. Edit the primary authentication global authentication policy settings.
C. To enable Device Registration Service
On your federation server, open a Windows PowerShell command window and type:
Repeat this step on each federation farm node in your AD FS farm.
E. Enable seamless second factor authentication
Seamless second factor authentication is an enhancement in AD FS that provides an
added level of access protection to corporate resources and applications from external
devices that are trying to access them. When a personal device is Workplace Joined, it
becomes a ‘known’ device and administrators can use this information to drive conditional
access and gate access to resources.
To enable seamless second factor authentication, persistent single sign-on (SSO) and
conditional access for Workplace Joined devices.
In the AD FS Management console, navigate to Authentication Policies. Select Edit Global
Primary Authentication. Select the check box next to Enable Device Authentication, and
then click OK.
Reference: Configure a federation server with Device Registration Service.
Most up-to-date 70-412 test preparation:
Q171. Your network contains an Active Directory domain named contoso.com. The domain contains four servers named Server1, Server2, Server3, and Server4 that run Windows Server 2012 R2. All servers have the Hyper-V server role and the Failover Clustering feature installed.
You need to replicate virtual machines from Cluster1 to Cluster2.
Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)
A. From Hyper-V Manager on a node in Cluster2, create three virtual machines.
B. From Cluster2, add and configure the Hyper-V Replica Broker role.
C. From Failover Cluster Manager on Cluster1, configure each virtual machine for replication.
D. From Cluster1, add and configure the Hyper-V Replica Broker role.
E. From Hyper-V Manager on a node in Cluster2 modify the Hyper-V settings.
D. You must configure the Hyper-V Replica Broker for cluster1.
E. We must configure configure the Replica server to receive replication from primary servers: In Hyper-V Manager, click Hyper-V Settings in the Actions pane.
In the Hyper-V Settings dialog, click Replication Configuration.
In the Details pane, select Enable this computer as a Replica server.
C. Enable virtual machine replication.
Once the hosting server is configured for Replica, you can enable replication for each
virtual machine that you want to be replicated.
Reference: Deploy Hyper-V Replica
Q172. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2.
Server1 is an enterprise root certification authority (CA) for contoso.com.
You need to ensure that the members of a group named Group1 can request code signing certificates. The certificates must be issued automatically to the members.
Which two actions should you perform? (Each correct answer presents part of the solution.
A. From Certificate Templates, modify the certificate template.
B. From Certification Authority, add a certificate template to be issued.
C. From Certificate Authority, modify the CA properties.
D. From Certificate Templates, duplicate a certificate template.
E. From Certificate Authority, stop and start the Active Directory Certificate Services (AD CS) service.
Best Practices include: Duplicate new templates from existing templates closest in function
to the intended template.
New certificate templates are duplicated from existing templates. Many settings are copied
from the original template. Because of this, duplicating one template to another of a totally
different type may carry over some unintended settings. When duplicating a template,
examine the subject type of the original template and ensure that you duplicate one that
has a similar function to that of the intended template. Although most settings for certificate
templates can be edited once the template is duplicated, the subject type cannot be
Reference: Deploying Certificate Templates
Your network contains two DHCP servers named Server1 and Server2. Server1 fails.
You discover that DHCP clients can no longer receive IP address leases.
You need to ensure that the DHCP clients receive IP addresses immediately.
What should you configure from the View/Edit Failover Relationship settings? To answer,
select the appropriate setting in the answer area.
Q174. Your network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2. All servers run Windows Server 2012 R2.
Server1 and Server2 have the Failover Clustering feature installed. The servers are configured as nodes in a failover cluster named Cluster1.
You configure File Services and DHCP as clustered resources for Cluster1. Server1 is the active node for both clustered resources.
You need to ensure that if two consecutive heartbeat messages are missed between Server1 and Server2, Server2 will begin responding to DHCP requests. The solution must ensure that Server1 remains the active node for the File Services clustered resource for up to five missed heartbeat messages.
What should you configure?
C. The cluster quorum settings
D. The failover settings
E. A file server for general use
F. The Handling priority
G. The host priority
H. Live migration
I. The possible owner
J. The preferred owner
K. Quick migration
L. the Scale-Out File Server
The number of heartbeats that can be missed before failover occurs is known as the heartbeat threshold. Heartbeat threshold is failover clustering setting.
Reference: Tuning Failover Cluster Network Thresholds
Q175. Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1 that runs Windows Server 2012 R2. DC1 has the DNS Server server role installed.
The network contains client computers that run either Linux, Windows 7, or Windows 8.
You have a zone named adatum.com as shown in the exhibit. (Click the Exhibit button.)
You plan to configure Name Protection on all of the DHCP servers.
You need to configure the adatum.com zone to support Name Protection.
What should you do?
A. Change the zone type.
B. Sign the zone.
C. Add a DNSKEY record.
D. Configure Dynamic updates.
Name protection requires secure update to work. Without name protection DNS names may be hijacked.
You can use the following procedures to allow only secure dynamic updates for a zone. Secure dynamic update is supported only for Active Directory–integrated zones. If the zone type is configured differently, you must change the zone type and directory-integrate the zone before securing it for Domain Name System (DNS) dynamic updates.
Enable secure dynamic updates:
Reference: DHCP: Secure DNS updates should be configured if Name Protection is
enabled on any IPv4 scope http://technet.microsoft.com/en-us/library/ee941152(v=ws.10).aspx
Guaranteed 70-412 free exam questions:
Q176. Your network contains an Active Directory domain named contoso.com. The network contains a file server named Server1 that runs Windows Server 2012 R2.
You are configuring a central access policy for temporary employees.
You enable the Department resource property and assign the property a suggested value of Temp.
You need to configure a target resource condition for the central access rule that is scoped to resources assigned to Temp only.
Which condition should you use?
A. (Temp.Resource Equals "Department")
B. (Resource.Temp Equals "Department")
C. (Resource.Department Equals "Temp")
D. (Department.Value Equals "Temp")
Targeting: Resource.Department Contains Finance
Access rule: Allow read User.Country=Resource.Country AND User.department =
Reference: Deploy a Central Access Policy (Demonstration Steps)
Q177. Your company has two offices. The offices are located in Seattle and Montreal.
The network contains an Active Directory domain named contoso.com. The domain contains two DHCP servers named Server1 and Server2. Server1 is located in the Seattle office. Server2 is located in the Montreal office. All servers run Windows Server 2012 R2.
You need to create a DHCP scope for video conferencing in the Montreal office. The scope must be configured as shown in the following table.
Which Windows PowerShell cmdlet should you run?
The Add-DhcpServerv4MulticastScope cmdlet adds a multicast scope on the Dynamic Host Configuration Protocol (DHCP) server.
Note: IPv4 multicast addresses are defined by the leading address bits of 1110, originating from the classful network design of the early Internet when this group of addresses was designated as Class D. The Classless Inter-Domain Routing (CIDR) prefix of this group is 18.104.22.168/4. The group includes the addresses from 22.214.171.124 to 126.96.36.199.
Q178. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Active Directory Certificate Services server role installed and is configured as an enterprise certification authority (CA).
You need to ensure that all of the users in the domain are issued a certificate that can be used for the following purposes:
Encrypting File System (EFS)
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. From a Group Policy, configure the Certificate Services Client – Auto-Enrollment settings.
B. From a Group Policy, configure the Certificate Services Client – Certificate Enrollment Policy settings.
C. Modify the properties of the User certificate template, and then publish the template.
D. Duplicate the User certificate template, and then publish the template.
E. From a Group Policy, configure the Automatic Certificate Request Settings settings.
The default user template supports all of the requirements EXCEPT auto enroll as shown below:
However a duplicated template from users has the ability to autoenroll:
The Automatic Certificate Request Settings GPO setting is only available to Computer, not user.
Reference: Manage Certificate Enrollment Policy by Using Group Policy. http://technet.microsoft.com/en-us/library/dd851772.aspx
Q179. You have a server named Server1 that runs Windows Server 2012 R2. The storage on Server1 is configured as shown in the following table.
You plan to implement Data Deduplication on Server1.
You need to identify on which drives you can enable Data Deduplication.
Which three drives should you identify? (Each correct answer presents part of the solution. Choose three.)
Volumes that are candidates for deduplication must conform to the following requirements:
* Must not be a system or boot volume. (not A)
* Can be partitioned as a master boot record (MBR) or a GUID Partition Table (GPT), and must be formatted using the NTFS file system. (not C)
* Can reside on shared storage, such as storage that uses a Fibre Channel or an SAS array, or when an iSCSI SAN and Windows Failover Clustering is fully supported.
* Do not rely on Cluster Shared Volumes (CSVs). You can access data if a deduplication-enabled volume is converted to a CSV, but you cannot continue to process files for deduplication.
* Do not rely on the Microsoft Resilient File System (ReFS).
* Must be exposed to the operating system as non-removable drives. Remotely-mapped drives are not supported.
Ref: Plan to Deploy Data Deduplication http://technet.microsoft.com/en-us/library/hh831700.aspx
Q180. Your network contains two Active Directory forests named contoso.com and adatum.com.
Contoso.com contains one domain. Adatum.com contains a child domain named child.adatum.com.
Contoso.com has a one-way forest trust to adatum.com. Selective authentication is enabled on the forest trust.
Several user accounts are migrated from child.adatum.com to adatum.com.
Users report that after the migration, they fail to access resources in contoso.com. The users successfully accessed the resources in contoso.com before the accounts were migrated.
You need to ensure that the migrated users can access the resources in contoso.com.
What should you do?
A. Replace the existing forest trust with an external trust.
B. Run netdom and specify the /quarantine attribute.
C. Disable SID filtering on the existing forest trust.
D. Disable selective authentication on the existing forest trust.
Security Considerations for Trusts Need to gain access to the resources in contoso.com
Disabling SID Filter Quarantining on External Trusts Although it reduces the security of your forest (and is therefore not recommended), you can disable SID filter quarantining for an external trust by using the Netdom.exe tool. You should consider disabling SID filter quarantining only in the following situations:
* Users have been migrated to the trusted domain with their SID histories preserved, and
you want to grant them access to resources in the trusting domain based on the SID history
Not B. Enables administrators to manage Active Directory domains and trust relationships
from the command prompt, /quarantine Sets or clears the domain quarantine.
Not D. Selective authentication over a forest trust restricts access to only those users in a
trusted forest who have been explicitly given authentication permissions to computer
objects (resource computers) that reside in the trusting forest.
Reference: Security Considerations for Trusts
Microsoft 70-412 Certification Sample Questions and Answers: https://www.braindumpsall.net/70-412-dumps/
P.S. New 70-412 dumps PDF: http://www.4easydumps.com/70-412-dumps-download.html