How to pass Microsoft 70-410 Real Exam in 24 Hours [free download 361-372]

Exam Code: 70-410 (Practice Exam Latest Test Questions VCE PDF)
Exam Name: Installing and Configuring Windows Server 2012
Certification Provider: Microsoft
Free Today! Guaranteed Training- Pass 70-410 Exam.

2016 Apr 70-410 Study Guide Questions:

Q361. - (Topic 3) 

Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2. 

When a domain user named User3 attempts to log on to a client computer named Client10, User3 receives the message shown in the following exhibit. (Click the Exhibit button.) 


You need to ensure that User3 can log on to Client10. 

What should you do? 

A. From Active Directory Users and Computers, configure the Logon Workstations setting of User3. 

B. On Client10, modify the Allow log on locally User Rights Assignment. 

C. From Active Directory Users and Computers, configure the Personal Virtual Desktop property of User3. 

D. On Client10, modify the Deny log on locally User Rights Assignment. 

Answer: A 


Q362. - (Topic 3) 

Your network contains an Active Directory domain named contoso.com. An organizational unit (OU) named OU1 contains user accounts and computer accounts. A Group Policy object (GPO) named GP1 is linked to the domain. GP1 contains Computer Configuration settings and User Configuration settings. 

You need to prevent the User Configuration settings in GP1 from being applied to users. The solution must ensure that the Computer Configuration settings in GP1 are applied to all client computers. 

What should you configure? 

A. the Group Policy loopback processing mode 

B. the Block Inheritance feature 

C. the Enforced setting 

D. the GPO Status 

Answer: D 

Explanation: 



Q363. - (Topic 3) 

Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. 

The domain contains a server named Server1 that runs Windows Server 2012 R2. 

You need to ensure that when users log on to Server1, their user account is added automatically to a local group named Group1 during the log on process. 

Which Group Policy settings should you modify? 

A. User Rights Assignment 

B. Preferences 

C. Security Options 

D. Restricted Groups 

Answer: B 

Explanation: 

With Preferences, local and domain accounts can be added to a local group without affecting the existing members of the group 

References: Training Guide: Installing and Configuring Windows Server 2012 R2: Chapter 8: File Services and Storage, p. 361 

http://technet.microsoft.com/en-us/library/cc785631(v=ws.10).aspx http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/ 

http://technet.microsoft.com/en-us/library/cc780182(v=ws.10).aspx http://technet.microsoft.com/en-us/library/hh831424.aspx 


Q364. HOTSPOT - (Topic 1) 

Your network contains an Active Directory domain named contoso.com. 

Computer accounts for the marketing department are in an organizational unit (OU) named 

Departments\Marketing\Computers. User accounts for the marketing department are in an OU named Departments\Marketing\Users. Marketing users can only log on to the client computers in the 

Departments\Marketing\Computers OU. 

You need to apply an application control policy to all of the marketing users. 

Which Group Policy Object (GPO) should you configure? 

To answer, select the appropriate GPO in the answer area. 


Answer: 



70-410 exam answers

Most up-to-date 70-410 test question:

Q365. - (Topic 3) 

Your network contains an Active Directory domain named contoso.com. The domain contains 100 user accounts that reside in an organizational unit (OU) named OU1. 

You need to ensure that a user named User1 can link and unlink Group Policy objects (GPOs) to OU1. The solution must minimize the number of permissions assigned to User1. 

What should you do? 

A. Run the Delegation of Control Wizard on the Policies containers 

B. Run the Set-GPPermission cmdlet 

C. Run the Delegation of Control Wizard on OU1 

D. Modify the permission on the user1 account 

Answer: C 

Explanation: 

A. Not minimum permissions 

B. Grants a level of permissions to a security principal for one GPO or all the GPOs in a domain 

C. Minimizes delegated permission to a single OU 

D. Will not allow GPO changes to the OU Delegation of Control Wizard The following are common tasks that you can select to delegate control of them: Create, delete, and manage user accounts Reset user passwords and force password change at next logon Read all user information Modify the membership of a group Join a computer to a domain Manage Group Policy links Generate Resultant Set of Policy (Planning) Generate Resultant Set of Policy (Logging) Create, delete, and manage inetOrgPerson accounts Reset inetOrgPerson passwords and force password change at next logon Read all inetOrgPerson information 


Q366. - (Topic 3) 

You work as an administrator at Contoso.com. The Contoso.com network consists of a single domain named Contoso.com. All servers in the Contoso.com domain, including domain controllers, have Windows Server 2012 R2 installed. 

Contoso.com has a domain controller, named ENSUREPASS-DC01. 

You have been instructed to make sure that the Group Policy Administrative Templates are available centrally. 

Which of the following actions should you take? 

A. You should consider copying the policies folder to the PolicyDefinitions folder in the Contoso.com domain’s SYSVOL folder. 

B. You should consider copying the PolicyDefinitions folder to the policies folder in the Contoso.com domain’s SYSVOL folder. 

C. You should consider copying the PolicyDefinitions folder to the policies folder in the Contoso.com domain’s systemroot folder. 

D. You should consider copying the PolicyDefinitions folder to the policies folder in the Contoso.com domain’s logonserver folder. 

Answer: B 

Explanation: 

PolicyDefinitions folder within the SYSVOL folder hierarchy. By placing the ADMX files in this directory, they are replicated to every DC in the domain; by extension, the ADMX-aware Group Policy Management Console in Windows Vista, Windows 7, Windows Server 2008 and R2 can check this folder as an additional source of ADMX files, and will report them accordingly when setting your policies. By default, the folder is not created. Whether you are a single DC or several thousand, I would strongly recommend you create a Central Store and start using it for all your ADMX file storage. It really does work well. The Central Store To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder on a domain controller. The Central Store is a file location that is checked by the Group Policy tools. The Group Policy tools use any .admx files that are in the Central Store. The files that are in the Central Store are later replicated to all domain controllers in the domain. To create a Central Store for .admx and .adml files, create a folder that is named PolicyDefinitions in the following location: \\FQDN\SYSVOL\FQDN\policies. Note: FQDN is a fully qualified domain name. 


Q367. - (Topic 1) 

Your network contains an Active Directory domain named contoso.com. You have a Group Policy object (GPO) named GP1 that is linked to the domain. GP1 contains a software restriction policy that blocks an application named App1. 

You have a workgroup computer named Computer1 that runs Windows 8. A local Group Policy on Computer1 contains an application control policy that allows App1. 

You join Computer1 to the domain. 

You need to prevent App1 from running on Computer1. 

What should you do? 

A. From Computer1, run gpupdate/force. 

B. From Group Policy Management, add an application control policy to GP1. 

C. From Group Policy Management, enable the Enforced option on GP1. 

D. In the local Group Policy of Computer1, configure a software restriction policy. 

Answer: B 

Explanation: 

AppLocker policies take precedence over policies generated by SRP on computers that are 

running an operating system that supports AppLocker. 

AppLocker policies in the GPO are applied, and they supersede the policies generated by 

SRP in the GPO and local AppLocker policies or policies generated by SRP. 


Q368. - (Topic 2) 

Your network contains an Active Directory domain named adatum.com. The domain contains a member server named L0N-DC1. L0N-DC1 runs Windows Server 2012 R2 and has the DHCP Server server role installed. 

The network contains 100 client computers and 50 IP phones. The computers and the phones are from the same vendor. 

You create an IPv4 scope that contains addresses from 172.16.0.1 to 172.16.1.254. 

You need to ensure that the IP phones receive IP addresses in the range of 172.16.1.100 to 172.16.1.200. The solution must minimize administrative effort. 

What should you create? 

A. Server level policies 

B. Reservations 

C. Filters 

D. Scope level policies 

Answer: D 

Explanation: 

The scope is already in place. 

Scope level policies are typically settings that only apply to that scope. They can also 

overwrite a setting that was set at the server level. 

When a client matches the conditions of a policy, the DHCP server responds to the clients 

based on the settings of a policy. 

Settings associated to a policy can be an IP address range and/or options. 

An administrator could configure the policy to provide an IP address from a specified sub-range within the overall IP address range of the scope. 

You can also provide different option values for clients satisfying this policy. 

Policies can be defined server wide or for a specific scope. 

A server wide policy – on the same lines as server wide option values – is applicable to all 

scopes on the DHCP server. 

A server wide policy however cannot have an IP address range associated with it. 

There a couple of ways to segregate clients based on the type of device. One way to do 

this is by using vendor class/identifier. 

This string sent in option 60 by most DHCP clients identify the vendor and thereby the type 

of the device. 

Another way to segregate clients based on device type is by using the MAC address prefix. 

The first three bytes of a MAC address is called OUI and identify the vendor or 

manufacturer of the device. 

By creating DHCP policies with conditions based on Vendor Class or MAC address prefix, 

you can now segregate the clients in your subnet in such a way, that devices of a specific 

type get an IP address only from a specified IP address range within the scope. You can 

also give different set of options to these clients. 

In conclusion, DHCP policies in Windows Server 2012 R2 enables grouping of 

clients/devices using the different criteria and delivering targeted network configuration to 

them. 

Policy based assignment in Windows Server 2012 R2 DHCP allows you to create simple 

yet powerful rules to administer DHCP on your network. 

References: Training Guide: Installing and Configuring Windows Server 2012 R2, Chapter 6: Network Administration, p.253 


70-410 simulations

Verified 70-410 keys:

Q369. - (Topic 3) 

Your network contains one Active Directory forest named contoso.com. The forest contains a single domain. All domain controllers run Windows Server 2012 R2. 

You need to modify the membership of a group named Group1 to include two users named User1 and User2. 

What command should you run? To answer, select the appropriate options in the answer area. 

Select three. 

A. Use command Add-GroupMember 

B. Use command Add-ADGroupMember 

C. As first parameter use Group1 

D. As first parameter use User1, User2 

E. As first parameter use {User1, User2} 

F. As second parameter use Group1 

G. As second parameter use User1, User2 

H. As second parameter use {User1, User2} 

Answer: B,C,G 


Q370. - (Topic 2) 

Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1 that runs Windows Server 2012 R2. 

A user named User1 attempts to log on to DC1, but receives the error message shown in the exhibit. (Click the Exhibit button.) 


You need to ensure that User1 can log on to DC1. What should you do? 

A. Add User1 to the Remote Management Users group. 

B. Grant User1 the Allow log on locally user right. 

C. Modify the Logon Workstations setting of the User1 account. 

D. Modify the Account is sensitive and cannot be delegated setting of the User1 account. 

Answer: B 

Explanation: 

Domain controllers, by default, restrict the types of user accounts that have the ability to log on locally. 

References: Exam Ref 70-410: Installing and Configuring Windows Server 2012 R2, Chapter 6: Create and Manage Group Policy, Objective 6.2: Configure Security Policies, p. 321 Exam Ref 70-410: Installing and Configuring Windows Server 2012 R2, Chapter 2: Configure server roles and features, Objective 2.3: Configure servers for remote management, p. 114 

http://technet.microsoft.com/en-us/library/ee957044(v=ws.10).aspx 


Q371. - (Topic 3) 

Your network contains an Active Directory domain named contoso.com. The network contains a member server named Server1 that runs Windows Server 2012 R2. Server1 has the DNS Server server role installed and has a primary zone for contoso.com. The Active Directory domain contains 500 client computers. There are an additional 20 computers in a workgroup. You discover that every client computer on the network can add its record to the contoso.com zone. 

You need to ensure that only the client computers in the Active Directory domain can register records in the contoso.com zone. 

What should you do first? 

A. Move the contoso.com zone to a domain controller that is configured as a DNS server 

B. Configure the Dynamic updates settings of the contoso.com zone 

C. Sign the contoso.com zone by using DNSSEC 

D. Configure the Security settings of the contoso.com zone. 

Answer: A 

Explanation: 

If you install DNS server on a non-DC, then you are not able to create AD-integrated zones. DNS update security is available only for zones that are integrated into AD DS. When you directory- integrate a zone, access control list (ACL) editing features are available in DNS Managerso that you can add or remove users or groups from the ACL for a specified zone or resource record. 

1. Active Directory’s DNS Domain Name is NOT a single label name (“DOMAIN” vs. the minimal requirement of”domain.com.” “domain.local”, etc.). 

2. The Primary DNS Suffix MUST match the zone name that is allowing updates. Otherwise the client doesn’t know what zone name to register in. You can also have a different Conneciton Specific Suffix in addition to the Primary DNS Suffix to register into that zone as well. 

3. AD/DNS zone MUST be configured to allow dynamic updates, whether Secure or Secure and Non-Secure. For client machines, if a client is not joined to the domain, and the zone is set to Secure, it will not register either. 

4. You must ONLY use the DNS servers that host a copy of the AD zone name or have a reference to get to them. Do not use your ISP’s, an external DNS address, your router as a DNS address, or any other DNS that does not have a copy of the AD zone. Internet resolution for your machines will be accomplished by the Rootservers (Root Hints), however it’s recommended to configure a forwarder for efficient Internet resolution. 

5. The domain controller is multihomed (which means it has more than one unteamed, active NIC, more than one IP address, and/or RRAS is installed on the DC). 

6. The DNS addresses configured in the client’s IP properties must ONLY reference the DNS server(s) hosting the AD zone you want to update in. This means that you must NOT use an external DNS in any machine’s IP property in an AD environment. You can’t mix them either. That’s because of the way the DNS Client side resolver service works. Even if you mix up internal DNS and ISP’s DNS addresses, the resolver algorithm can still have trouble asking the correct DNS server. It will ask the first one first. If it doesn’t get a response, it removes the first one from the eligible resolvers list and goes to the next in the list. It will not go back to the first one unless you restart the machine, restart the DNS Client service, or set a registry entry to cut the query TTL to 0. The rule is to ONLY use your internal DNS server(s) and configure a forwarder to your ISP’s DNS for efficient Internet resolution. This is the reg entry to cut the query to 0 TTL: The DNS Client service does not revert to using the first server. The Windows 2000 Domain Name System (DNS) Client service (DNS cache) follows a certain algorithm when it decides the order in which to use the DNS servers. http://support.microsoft.com/kb/286834 For more info, please read the following on the client side resolver service: DNS, WINS NetBIOS & the Client Side Resolver, Browser Service, Disabling NetBIOS, Direct Hosted SMB (Direct SMB), If One DC is Down Does a Client logon to Another DC, and DNS Forwarders Algorithm if you have multiple forwarders. 

http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-clientside- resolverbrowserservice-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-isdown-does-a- client-logon-toanother-dcand-dns-forwarders-algorithm.aspx 

7. For DHCP clients, DHCP Option 006 for the clients are set to the same DNS server. 

8. If using DHCP, DHCP server must only be referencing the same exact DNS server(s) in 

its own IP properties in order for it to ‘force’ (if you set that setting) registration into DNS. 

Otherwise, how would it know which DNS to send the reg data to? 

9. If the AD DNS Domain name is a single label name, such as “EXAMPLE”, and not the 

proper format of ”example.com” and/or any child of that format, such as 

“child1.example.com”, then we have a real big problem. 

DNS will not allow registration into a single label domain name. 

This is for two reasons: 

1. It’s not the proper hierarchal format. DNS is hierarchal, but a single label name has no 

hierarchy. It’s just a single name. 

2. Registration attempts cause major Internet queries to the Root servers. Why? Because it 

thinks the single label name, such as “EXAMPLE”, is a TLD (Top Level Domain), such as 

“com”, “net”, etc. It will now try to find what Root name server out there handles that TLD. 

In the end it comes back to itself and then attempts to register. Unfortunately it does NOT 

ask itself first for the mere reason it thinks it’s a TLD. (Quoted from Alan Woods, Microsoft, 

2004): 

“Due to this excessive Root query traffic, which ISC found from a study that discovered 

Microsoft DNS servers are causing excessive traffic because of single label names, 

Microsoft, being an internet friendly neighbor and wanting to stop this problem for their 

neighbors, stopped the ability to register into DNS with Windows 2000SP4, XP SP1, 

(especially XP, which cause lookup problems too), and Windows 2003. After all, DNS is 

hierarchal, so therefore why even allow single label DNS domain names?” The above also 

*especially* applies to Windows Vista, 7, 2008, 2008 R2, and newer. 

10. ‘Register this connection’s address” on the client is not enabled under the NIC’s IP 

properties, DNS tab. 

11. Maybe there’s a GPO set to force Secure updates and the machine isn’t a joined 

member of the domain. 

12. ON 2000, 2003 and XP, the “DHCP client” Service not running. In 2008/Vista and 

newer, it’s the DNS Client Service. This is a requirement for DNS registration and DNS 

resolution even if the client is not actually using DHCP. 

13. You can also configure DHCP to force register clients for you, as well as keep the DNS 

zone clean of old or duplicate entries. See the link I posted in my previous post. 


Q372. - (Topic 3) 

A network technician installs Windows Server 2012 R2 Standard on a server named 

Server1. 

A corporate policy states that all servers must run Windows Server 2012 R2 Enterprise. 

You need to ensure that Server1 complies with the corporate policy. 

You want to achieve this goal by using the minimum amount of administrative effort. 

What should you perform? 

A. a clean installation of Windows Server 2012 R2 

B. an upgrade installation of Windows Server 2012 R2 

C. online servicing by using Dism 

D. offline servicing by using Dism 

Answer: C 

Explanation: 

A. Not least effort 

B. Not least effort 

C. dism /online /set-edition 

D. offline would be less ideal and more workex: DISM /online /Set-Edition:ServerEnterprise/ProductKey:489J6-VHDMP-X63PK-3K798-CPX3YWindows Server 2008 R2/2012 contains a command-line utility called DISM (Deployment Image Servicing and Management tool). This tool has many features, but one of those features is the ability to upgrade the edition of Windows in use. Note that this process is for upgrades only and is irreversible. You cannot set a Windows image to a lower edition. The lowest edition will not appear when you run the /Get- TargetEditions option. If the server is running an evaluation version of Windows Server 2012 R2 Standard or Windows Server 2012 R2 Datacenter, you can convert it to a retail version as follows: If the server is a domain controller, you cannot convert it to a retail version. In this case, install an additional domain controller on a server that runs a retail version and remove AD DS from the domain controller that runs on the evaluation version. From an elevated command prompt, determine the current edition name with the command DISM /online /Get-CurrentEdition. Make note of the edition ID, an abbreviated form of the edition name. Then run DISM /online /Set-Edition:<edition ID> /ProductKey:XXXXXXXXXX-XXXXX-XXXXXXXXXX/AcceptEula, providing the edition ID and a retail product key. The server will restart twice.