NEW QUESTION NO: 20
Your network contains an Active Directory domain.
You plan to implement a remote access solution that will contain three servers that run Windows Server
2012. The servers will be configured as shown in the following table.

Server1 will support up to 200 concurrent VPN connections.
You need to ensure that all VPN connection requests are authenticated and authorized by either Server2 or Server3. The solution must ensure that the VPN connections can be authenticated if either Server2 or Server3 fails.
What should you do?
A. On Server1, configure a RADIUS proxy. On Server2 and Server3, add a RADIUS client.
B. On Server2 and Server3, add a RADIUS client. On Server1, modify the Authentication settings.
C. On Server1, configure a RADIUS proxy. Add Server2 and Server3 to a failover cluster.
D. Add Server2 and Server3 to a Network Load Balancing (NLB) cluster. On Server1, modify the Authentication settings.
Answer: B
Explanation/Reference:
Explanation:
* A network access server (NAS) is a device that provides some level of access to a larger network. A NAS using a RADIUS infrastructure is also a RADIUS client, sending connection requests and accounting messages to a RADIUS server for authentication, authorization, and accounting.
* Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers-such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers-because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.

NEW QUESTION NO: 21
HOTSPOT
You have a domain controller that hosts an Active Directory-integrated zone.
On the domain controller, you run the following cmdlet:
PS C:\> Get-DnsServerScavenging
NoRefreshInterval:2.00:00:00
RefreshInterval:3.00:00:00
ScavengingInterval:4.00:00:00
ScavengingState:True
LastScavengeTime:1/30/2014 9:10:36 AM
Use the drop-down menus to select the answer choice that completes each statement.
Hot Area:

Answer: 

Explanation/Reference:
Explanation:
First answer
* -NoRefreshInterval<TimeSpan>
Specifies a length of time as a TimeSpan object. NoRefreshInterval sets a period of time in which no refreshes are accepted for dynamically updated records. Zones on the server inherit this value automatically.
This value is the interval between the last update of a timestamp for a record and the earliest time when the timestamp can be refreshed. The minimum value is 0. The maximum value is 8760 hours (seven days).
* Here it is set to 2 days: NoRefreshInterval:2.00:00:00
Second answer
-ScavengingState<Boolean> (In this question it is set to true)
Enables or disables automatic scavenging of stale records. ScavengingState determines whether the DNS scavenging feature is enabled by default on newly created zones. The acceptable values for this parameter are:
-- $False. Disables scavenging. This is the default setting.
-- $True. Enables scavenging

NEW QUESTION NO: 22
Your company has a main office and four branch offices. The main office is located in London.
The network contains an Active Directory domain named contoso.com. Each office contains one domain controller that runs Windows Server 2012. The Active Directory site topology is configured as shown in the exhibit. (Click the Exhibit button.) You discover that when a domain controller in a branch office is offline for maintenance, users in that branch office are authenticated by using the domain controllers in any of the sites.
You need to recommend changes to Active Directory to ensure that when a domain controller in a branch office is offline, the users in that branch office are authenticated by the domain controllers in London.
What should you include in the recommendation?
Exhibit

A. Modify the DC Locator DNS Records settings.
B. Disable site link bridging.
C. Modify the site link costs.
D. Modify the service location (SRV) records in DNS.
Answer: A
Explanation/Reference:
Explanation:
If local DC (domain controller) is not available, DC Locator service will look for another DC in a different site.

NEW QUESTION NO: 23
Your network contains an Active Directory forest named contoso.com. The forest is managed by using Microsoft System Center 2012.
Web developers must be able to use a self-service portal to request the deployment of virtual machines based on predefined templates. The requests must be approved by an administrator before the virtual machines are deployed.
You need to recommend a solution to deploy the virtual machines.
What should you include in the recommendation?
More than one answer choice may achieve the goal. Select the BEST answer.
A. A Virtual Machine Manager (VMM) service template, an Operations Manager dashboard, and an Orchestrator runbook
B. A Service Manager service offering, an Orchestrator runbook, and an Operations Manager dashboard
C. A Virtual Machine Manager (VMM) service template, a Service Manager service offering, and an Orchestrator runbook
D. A Service Manager service offering, an Orchestrator runbook, and Configuration Managerpackages
Answer: C
Explanation/Reference:
Explanation:
As a practical example, a user could initiate an Orchestrator runbook by requesting a service in a self- service portal. The runbook would then await approval by IT. Once approved, it would then automatically provision the necessary virtual machines through System Center Virtual Machine Manager, deploy the required software via Configuration Manager, arrange backup through System Center Data Protection Manager and integrate monitoring with a third-party system.

NEW QUESTION NO: 24
Your company has two main offices and 10 branch offices. Each office is configured as a separate Active Directory site.
The main offices sites are named Site1 and Site2. Each office connects to Site1 and Site2 by using a WAN link. Each site contains a domain controller that runs Windows Server 2008.
You are redesigning the Active Directory infrastructure.
You plan to implement domain controllers that run Windows Server 2012 and decommission all of the domain controllers that run Windows Server 2008.
You need to recommend a placement plan for the Windows Server 2012 domain controllers to meet the following requirements:
Ensure that users can log on to the domain if a domain controller or a WAN link fails.

Minimize the number of domain controllers implemented.

What should you include in the recommendation? (Each correct answer presents part of the solution.
Choose all that apply.)
A. Writable domain controllers in the branch office sites
B. Read-only domain controllers (RODCs) in the branch office sites
C. A writable domain controller in Site2
D. A writable domain controller in Site1
Answer: C,D

NEW QUESTION NO: 25
Your network contains an Active Directory forest named adatum.com. All domain controllers run Windows Server 2008 R2. The functional level of the domain and the forest is Windows Server 2008.
You deploy a new Active Directory forest named contoso.com. All domain controllers run Windows Server
2012 R2. The functional level of the domain and the forest is Windows Server 2012 R2.
You establish a two-way, forest trust between the forests. Both networks contain member servers that run either Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 or Windows Server
2008.
You plan to use the Active Directory Migration Tool 3.2 (ADMT 3.2) to migrate user accounts from adatum.com to contoso.com. SID history will be used in contoso.com and passwords will be migrated by using a Password Export Server (PES).
You need to recommend which changes must be implemented to support the planned migration.
Which two changes should you recommend? Each correct answer presents part of the solution.
A. In the contoso.com forest, deploy a domain controller that runs Windows Server 2008 R2.
B. In the adatum.com forest, upgrade the functional level of the forest and the domain.
C. In the adatum.com forest, deploy a domain controller that runs Windows Server 2012 R2.
D. In the contoso.com forest, downgrade the functional level of the forest and the domain.
Answer: A,D

NEW QUESTION NO: 26
You need to recommend changes for the Active Directory infrastructure.
What should you recommend? To answer, drag the appropriate domain and forest functional levels for proseware.com to the correct locations. Each functional level may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:

Answer: 

Explanation/Reference:
* Scenario: Domain controllers that run Windows Server 2012 R2 and Windows Server 2008 R2 must be able to be deployed to the proseware.com domain.

NEW QUESTION NO: 27
You have a server named Server1 that runs Windows Server 2012. Server1 has the DNS Server server role installed.
You need to recommend changes to the DNS infrastructure to protect the cache from cache poisoning attacks.
What should you configure on Server1?
A. DNS cache locking
B. The global query block list
C. DNS Security Extensions (DNSSEC)
D. DNS devolution
Answer: A
Explanation/Reference:
Explanation:
Cache locking is a new feature available if your DNS server is running Windows Server 2008 R2. When you enable cache locking, the DNS server will not allow cached records to be overwritten for the duration of the time to live (TTL) value. Cache locking provides for enhanced security against cache poisoning attacks.

NEW QUESTION NO: 28
You need to recommend a solution that meets the security requirements.
Which schema attribute properties should you recommend modifying?
A. isIndexed
B. searchFlags
C. isCriticalSystemObject
D. schemaFlagsEx
Answer: B
Explanation/Reference:
Explanation:
* Scenario: ). Confidential attributes must not be replicated to the Chicago office.
* Applies To: Windows Server 2008, Windows Server 2012
This topic includes procedures for adding an attribute to the filtered attribute set (FAS) for a read-only domain controller (RODC) and marking the attribute as confidential data. You can perform these procedures to exclude specific data from replicating to RODCs in the forest.
Because the data is not replicated to any RODCs, you can be assured that the data will not be revealed to an attacker who manages to successfully compromise an RODC. In most cases, adding an attribute to the RODC FAS is completed by the developer of the application that added the attribute to the schema.
* Determine and then modify the current searchFlags value of an attribute
* Verify that an attribute is added to the RODC FAS
- Determine and then modify the current searchFlags value of an attribute To add an attribute to an RODC FAS, you must first determine the current searchFlags value of the attribute that you want to add, and then set the following values for searchflags:
* To add the attribute to the RODC FAS, set the 10th bit to 0x200.
* To mark the attribute as confidential, set the 7th bit to 0x080.
Reference: Adding Attributes to the RODC Filtered Attribute Set
http://technet.microsoft.com/en-us/library/cc754794(v=ws.10).aspx

NEW QUESTION NO: 29
You need to plan the expansion of the Los Angeles office.
What should you do?
A. Install a read-only domain controller in Los Angeles.
B. Install a domain controller in Los Angeles.
C. Create and apply a filtered attribute set to the Los Angeles site.
D. Create and apply a Group Policy object to the Los Angeles site.
Answer: B
Explanation/Reference:
/All authentication requests must first be attempted in the same location as the client device that is being authenticated
/Any server placed in the Los Angeles office must not contain cached passwords

NEW QUESTION NO: 30
Your network contains an Active Directory domain named contoso.com. The domain contains multiple sites.
You plan to deploy DirectAccess.
The network security policy states that when client computers connect to the corporate network from the Internet, all of the traffic destined for the Internet must be routed through the corporate network.
You need to recommend a solution for the planned DirectAccess deployment that meets the security policy requirement.
Solution: You enable split tunneling.
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation/Reference:
Explanation:
DirectAccess by default enables split tunneling. All traffic destined to the corpnet is sent over the DA IPsec tunnels, and all traffic destined for the Internet is sent directly to the Internet over the local interface. This prevents DA clients from bringing the corporate Internet connection to its knees.
Is DA split tunneling really a problem? The answer is no.
Why? Because the risks that exist with VPNs, where the machine can act as a router between the Internet and the corporate network is not valid with DirectAccess. IPsec rules on the UAG server require that traffic be from an authenticated source, and all traffic between the DA client and server is protected with IPsec.
Thus, in the scenario where the DA client might be configured as a router, the source of the traffic isn't going to be the DA client, and authentication will fail - hence preventing the type of routing that VPN admins are concerned about.

https://www.examslabs.com/Microsoft/Windows-Server-2012/best-70-413-exam-dumps.html