Get Full Version of the Exam
Your network contains an Active Directory domain named contoso.com. You need to install and configure the Web Application Proxy role service. What should you do?
Install the Active Directory Federation Services server role and the Remote Access server role on different servers.
Install the Active Directory Federation Services server role and the Remote Access server role on the same server.
Install the Web Server (IIS) server role and the Application Server server role on the same server.
Install the Web Server (IIS) server role and the Application Server server role on different servers.
Correct Answer: A
Web Application Proxy is a new Remote Access role service in Windows Server庐 2012 R2.
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1. Server1 is configured as a VPN server.
You need to configure Server1 to perform network address translation (NAT). What should you do?
From Network Connections, modify the Internet Protocol Version 4 (TCP/IPv4) setting of each network adapter.
From Network Connections, modify the Internet Protocol Version 6 (TCP/IPv6) setting of each network adapter.
From Routing and Remote Access, add an IPv6 routing protocol.
From Routing and Remote Access, add an IPv4 routing protocol.
Correct Answer: D
To configure an existing RRAS server to support both VPN remote access and NAT routing:
Open Server Manager.
Expand Roles, and then expand Network Policy and Access Services.
Right-click Routing and Remote Access, and then click Properties.
Select IPv4 Remote access Server or IPv6 Remote access server, or both.
You have a DNS server named Served that has a Server Core Installation on Windows Server 2012 R2.
You need to view the time-to-live (TTL) value of a name server (NS) record that is cached by the DNS Server service on Server1.
What should you run?
Correct Answer: A
The Show-DNSServerCache shows all cached Domain Name System (DNS) server resource records in the following format: Name, ResourceRecordData, Time-to-Live (TTL).
You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the Remote Access server role installed.
You need to configure the ports on Server1 to ensure that client computers can establish VPN connections to Server1 by using TCP port 443.
What should you modify?
To answer, select the appropriate object in the answer area.
You have a DNS server named DN51 that runs Windows Server 2012 R2. On DNS1, you create a standard primary DNS zone named adatum.com.
You need to change the frequency that secondary name servers will replicate the zone from DNS1.
Which type of DNS record should you modify?
Name server (NS)
Start of authority (SOA)
Host information (HINFO)
Service location (SRV)
Correct Answer: B
The time to live is specified in the Start of Authority (SOA) record
Note: TTL (time to live) – The number of seconds a domain name is cached locally before expiration and return to authoritative nameservers for updated information.
Your network contains an Active Directory domain named contoso.com. The domain contains three servers. The servers are configured as shown in the following table.
You need to ensure that end-to-end encryption is used between clients and Server2 when the clients connect to the network by using DirectAccess.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
From the Remote Access Management Console, reload the configuration.
Add Server2 to a security group in Active Directory.
Restart the IPSec Policy Agent service on Server2.
From the Remote Access Management Console, modify the Infrastructure Servers settings.
From the Remote Access Management Console, modify the Application Servers settings.
Correct Answer: BE
Unsure about these answers:
A public key infrastructure must be deployed.
Windows Firewall must be enabled on all profiles. ISATAP in the corporate network is not supported. If you are using ISATAP, you should remove it and use native IPv6.
Computers that are running the following operating systems are supported as DirectAccess clients:
Windows Server庐 2012 R2 Windows 8.1 Enterprise
Windows Server庐 2012
Windows 8 Enterprise Windows Server庐 2008 R2 Windows 7 Ultimate
Windows 7 Enterprise
Force tunnel configuration is not supported with KerbProxy authentication. Changing policies by using a feature other than the DirectAccess management console or Windows PowerShell cmdlets is not supported. Separating NAT64/DNS64 and IPHTTPS server roles on another server is not supported.
Your network contains an Active Directory forest. The forest contains two domains named
contoso.com and fabrikam.com. All of the DNS servers in both of the domains run Windows Server 2012 R2.
The network contains two servers named Server1 and Server2. Server1 hosts an Active Directory-integrated zone for contoso.com. Server2 hosts an Active Directory-integrated zone for fabrikam.com. Server1 and Server2 connect to each other by using a WAN link.
Client computers that connect to Server1 for name resolution cannot resolve names in fabnkam.com.
You need to configure Server1 to support the resolution of names in fabnkam.com. The solution must ensure that users in contoso.com can resolve names in fabrikam.com if the WAN link fails.
What should you do on Server1?
Create a stub zone.
Add a forwarder.
Create a secondary zone.
Create a conditional forwarder.
Correct Answer: C
When a zone that this DNS server hosts is a secondary zone, this DNS server is a secondary source for information about this zone. The zone at this server must be obtained from another remote DNS server computer that also hosts the zone With secondary, you have ability to resolve records from the other domain even if its DNS servers are temporarily unavailable
While secondary zones contain copies of all the resource records in the corresponding zone on the master name server, stub zones contain only three kinds of resource records:
A copy of the SOA record for the zone.
Copies of NS records for all name servers authoritative for the zone. Copies of A records for all name servers authoritative for the zone.
http://www.windowsnetworking.com/articles-tutorials/windows-2003/DNS_Stub_Zones.html http://technet.microsoft.com/en-us/library/cc771898.aspx http://redmondmag.com/Articles/2004/01/01/The-Long-and-Short-of-Stub-Zones.aspx?Page=2
Your network contains two servers named Server1 and Server2. Both servers run Windows Server 2012 R2 and have the DNS Server server role installed.
On Server1, you create a standard primary zone named contoso.com.
You need to ensure that Server2 can host a secondary zone for contoso.com. What should you do from Server1?
Add Server2 as a name server.
Create a trust anchor named Server2.
Convert contoso.com to an Active Directory-integrated zone.
Create a zone delegation that points to Server2.
Correct Answer: A
Typically, adding a secondary DNS server to a zone involves three steps:
On the primary DNS server, add the prospective secondary DNS server to the list of name
servers that are authoritative for the zone.
On the primary DNS server, verify that the transfer settings for the zone permit the zone to be transferred to the prospective secondary DNS server.
On the prospective secondary DNS server, add the zone as a secondary zone.
You must add a new Name Server. To add a name server to the list of authoritative servers for the zone, you must specify both the server#39;s IP address and its DNS name. When entering names, click Resolve to resolve the name to its IP address prior to adding it to the list.
Secondary zones cannot be AD-integrated under any circumstances.
You want to be sure Server2 can host, you do not want to delegate a zone.
Secondary Domain Name System (DNS) servers help provide load balancing and fault tolerance. Secondary DNS servers maintain a read-only copy of zone data that is transferred periodically from the primary DNS server for the zone. You can configure DNS clients to query secondary DNS servers instead of (or in addition to) the primary DNS server for a zone, reducing demand on the primary server and ensuring that DNS queries for the zone will be answered even if the primary server is not available.
How-To: Configure a secondary DNS Server in Windows Server 2012
We need to tell our primary DNS that it is ok for this secondary DNS to pull information from it. Otherwise replication will fail and you will get this big red X.
Head over to your primary DNS server, launch DNS manager, expand Forward Lookup Zones, navigate to your primary DNS zone, right-click on it and go to Properties.
Go to quot;Zone Transfersquot; tab, by default, for security reasons, the quot;Allow zone transfers: quot; is un- checked to protect your DNS information. We need to allow zone transfers, if you value your DNS records, you do not want to select quot;To any serverquot; but make sure you click on quot;Only to servers listed on the Name Servers tabquot;
Head over to the quot;Name Serversquot; tab, click Add
You will get quot;New Name Server Recordquot; window, type in the name of your secondary DNS server. it is always better to validate by name not IP address to avoid future problems in case your IP addresses change. Once done, click OK.
You will see your secondary DNS server is now added to your name servers selection, click OK.
Now if you head back to to your secondary DNS server and refresh, the big red X will go away and your primary zone data will populate
Your secondary DNS is fully setup now. You can not make any DNS changes from your secondary DNS. Secondary DNS is a read-only DNS, Any DNS changes have to be done from the primary DNS.
http://technet.microsoft.com/en-us/library/cc816885(v=ws.10).aspx http://technet.microsoft.com/en-us/library/cc816814(v=ws.10).aspx http://blog.hyperexpert.com/how-to-configure-a-secondary-dns-server-in-windows-server-2012/ http://technet.microsoft.com/en-us/library/cc770984.aspx http://support.microsoft.com/kb/816101
http://technet.microsoft.com/en-us/library/cc753500.aspx http://technet.microsoft.com/en-us/library/cc771640(v=ws. 10).aspx http://technet.microsoft.com/en-us/library/ee649280(v=ws. 10).aspx
Your network contains an Active Directory domain named contoso.com. The domain contains a Web server named www.contoso.com. The Web server is available on the Internet.
You implement DirectAccess by using the default configuration.
You need to ensure that users never attempt to connect to www.contoso.com by using DirectAccess. The solution must not prevent the users from using DirectAccess to access other resources in contoso.com.
Which settings should you configure in a Group Policy object (GPO)?
DirectAccess Client Experience Settings
Name Resolution Policy
Correct Answer: C
For DirectAccess, the NRPT must be configured with the namespaces of your intranet with a leading dot (for example, . internal.contoso.com or . corp.contoso.com). For a DirectAccess client, any name request that matches one of these namespaces will be sent to the specified intranet Domain Name System (DNS) servers.
Include all intranet DNS namespaces that you want DirectAccess client computers to access. There are no command line methods for configuring NRPT rules. You must use Group Policy settings. To configure the NRPT through Group Policy, use the Group Policy add-in at Computer Configuration \Policies\Windows Settings\Name Resolution Policy in the Group Policy object for DirectAccess clients. You can create a new NRPT rule and edit or delete existing rules. For more information, see Configure the NRPT with Group Policy.
Your network contains an Active Directory domain named contoso.com.
All user accounts for the marketing department reside in an organizational unit (OU) named OU1. All user accounts for the finance department reside in an organizational unit (OU) named OU2.
You create a Group Policy object (GPO) named GPO1. You link GPO1 to OU2. You configure the Group Policy preference of GPO1 to add a shortcut named Link1 to the desktop.
You discover that when a user signs in, the Link1 is not added to the desktop. You need to ensure that when a user signs in, Link1 is added to the desktop. What should you do?
Enable loopback processing in GPO1.
Modify the Link1 shortcut preference of GPO1.
Modify the Security Filtering settings of GPO1.
Correct Answer: D
Security filtering is a way of refining which users and computers will receive and apply the settings in a Group Policy object (GPO). Using security filtering, you can specify that only certain security principals within a container where the GPO is linked apply the GPO. Security group filtering determines whether the GPO as a whole applies to groups, users, or computers; it cannot be used selectively on different settings within a GPO.