How to pass Microsoft 70-412 Real Exam in 24 Hours [exam engine 31-45]

Exam Code: 70-412 (Practice Exam Latest Test Questions VCE PDF)
Exam Name: Configuring Advanced Windows Server 2012 Services
Certification Provider: Microsoft
Free Today! Guaranteed Training- Pass 70-412 Exam.

2016 Apr 70-412 Study Guide Questions:

Q31. You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the DNS Server server role installed. 

You need to store the contents of all the DNS queries received by Server1. 

What should you configure? 

A. Logging from Windows Firewall with Advanced Security 

B. Debug logging from DNS Manager 

C. A Data Collector Set (DCS) from Performance Monitor 

D. Monitoring from DNS Manager 

Answer: B 

Explanation: 

Debug logging allows you to log the packets sent and received by a DNS server. Debug logging is disabled by default, and because it is resource intensive, you should only activate it temporarily when you need more specific detailed information about server performance. 

Reference: Active Directory 2008: DNS Debug Logging Facts… 


Q32. Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2. Both servers have the IP Address Management (IPAM) Server feature installed. 

You have a support technician named Tech1. Tech1 is a member of the IPAM Administrators group on Server1 and Server2. 

You need to ensure that Tech1 can use Server Manager on Server1 to manage IPAM on Server2. 

To which group on Server2 should you add Tech1? 

A. IPAM MSM Administrators 

B. IPAM Administrators 

C. winRMRemoteWMIUsers_ 

D. Remote Management Users 

Answer: C 

Explanation: 

If you are accessing the IPAM server remotely using Server Manager IPAM client RSAT, then you must be a member of the WinRMRemoteWMIUsers group on the IPAM server, in addition to being a member of the appropriate IPAM security group (or local Administrators group). 

Reference: IPAM Deployment Planning, IPAM specifications 


Q33. Your network contains two Active Directory forests named contoso.com and corp.contoso.com. 


User1 is a member of the DnsAdmins domain local group in contoso.com. 

User1 attempts to create a conditional forwarder to corp.contoso.com but receive an error message shown in the exhibit. (Click the Exhibit button.) 


You need to configure bi-directional name resolution between the two forests. 

What should you do first? 

A. Add User1 to the DnsUpdateProxy group. 

B. Configure the zone to be Active Directory-integrated. 

C. Enable the Advanced view from DNS Manager. 

D. Run the New Delegation Wizard. 

Answer: B 

Explanation: 

The zone must be Active Directory-integrated. 


Q34. HOTSPOT 

Your network contains two Web servers named Server1 and Server2. Both servers run Windows Server 2012 R2. 

Server1 and Server2 are nodes in a Network Load Balancing (NLB) cluster. The NLB cluster contains an application named App1 that is accessed by using the URL http://app1.contoso.com. 

You deploy a new server named Server3 that runs Windows Server 2012 R2. The contoso.com DNS zone contains the records shown in the following table. 


You need to add Server3 to the NLB cluster. 

What command should you run? 

To answer, select the appropriate options in the answer area. 



Answer: 



Q35. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server3 that runs Windows Server 2012 R2 and has the DHCP Server server role installed. 

DHCP is configured as shown in the exhibit. (Click the Exhibit button.) 


You need to ensure that only Scope1, Scope3, and Scope5 assign the same DNS servers to DHCP clients. The solution must minimize administrative effort. 

What should you do? 

A. Create a superscope and scope-level policies. 

B. Configure the Scope Options. 

C. Create a superscope and a filter. 

D. Configure the Server Options. 

Answer: B 

Explanation: 

Any DHCP scope options can be configured for assignment to DHCP clients, such as DNS 

server. 

Reference: Configuring a DHCP Scope. 

http://technet.microsoft.com/en-us/library/dd759218.aspx 


70-412  test question

Most recent 70-412 exam question:

Q36. Your network contains an Active Directory domain named contoso.com. The domain 

contains three servers named Server1, Server2, and Server3 that run Windows Server 2012 R2. All three servers have the Hyper-V server role installed and the Failover Clustering feature installed. 

Server1 and Server2 are nodes in a failover cluster named Cluster1. Several highly available virtual machines run on Cluster1. Cluster1 has the Hyper-V Replica Broker role installed. The Hyper-V Replica Broker currently runs on Server1. 

Server3 currently has no virtual machines. 

You need to configure Cluster1 to be a replica server for Server3 and Server3 to be a replica server for Cluster1. 

Which two tools should you use? (Each correct answer presents part of the solution. Choose two.) 

A. The Hyper-V Manager console connected to Server3 

B. The Failover Cluster Manager console connected to Server3 

C. The Hyper-V Manager console connected to Server1. 

D. The Failover Cluster Manager console connected to Cluster1 

E. The Hyper-V Manager console connected to Server2 

Answer: A,D 

Explanation: 

A. To configure the Replica server [on a server that is not part of a cluster which in this case is Server3] In Hyper-V Manager, click Hyper-V Settings in the Actions pane. In the Hyper-V Settings dialog, click Replication Configuration. 

In the Details pane, select Enable this computer as a Replica server. Etc. 

D. To configure a Replica server that is part of a failover cluster. 

1. In Server Manager, open Failover Cluster Manager. 

2. In the left pane, connect to the cluster, and while the cluster name is highlighted, click Roles in the Navigate category of the Details pane. 

3. Right-click the role and choose Replication Settings. 

4. In the Details pane, select Enable this cluster as a Replica server. Etc. 

Reference: Deploy Hyper-V Replica , Step 2: Enable Replication 

http://technet.microsoft.com/en-us/library/jj134240.aspx 


Q37. Your network contains an Active Directory forest. The forest contains one domain named contoso.com. The domain contains three domain controllers. The domain controllers are configured as shown in the following table. 


DC1 has all of the operations master roles installed. 

You transfer all of the operations master roles to DC2, and then you uninstall Active Directory from DC1. 

You need to ensure that you can use Password Settings objects (PSOs) in the domain. 

What should you do? 

A. Change the domain functional level. 

B. Upgrade DC2. 

C. Run the dcgpofix.exe command. 

D. Transfer the schema master role. 

Answer: A 

Explanation: 

The domain functional level must be Windows Server 2008 to use PSO's 

Requirements and special considerations for fine-grained password and account lockout policies: 

* Domain functional level: The domain functional level must be set to Windows Server 2008 

or higher. 

Etc. 

Incorrect: 

Not B. DC2 is also Windows Server 2008. 

Not C. Recreates the default Group Policy Objects (GPOs) for a domain 

Not D. Schema isn't up to right level 

Reference: AD DS: Fine-Grained Password Policies 

http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx 


Q38. Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. The forest contains three Active Directory sites named SiteA, SiteB, and SiteC. The sites contain four domain controllers. The domain controllers are configured as shown in the following table. 


An IP site link exits between each site. 

You discover that the users in SiteC are authenticated by the domain controllers in SiteA and SiteB. 

You need to ensure that the SiteC users are authenticated by the domain controllers in SiteB, unless all of the domain controllers in SiteB are unavailable. 

What should you do? 

A. Create an SMTP site link between SiteB and SiteC. 

B. Create additional connection objects for DC3 and DC4. 

C. Decrease the cost of the site link between SiteB and SiteC. 

D. Create additional connection objects for DC1 and DC2. 

Answer: C 

Explanation: 

By decreasing the site link cost between SiteB and SiteC the SiteC users would be authenticated by SiteB rather than by SiteA. 


Q39. Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1 and a member server named Server1. Server1 

has the IP Address Management (IPAM) Server feature installed. 

On Dc1, you configure Windows Firewall to allow all of the necessary inbound ports for 

IPAM. 

On Server1, you open Server Manager as shown in the exhibit. (Click the Exhibit button.) 


You need to ensure that you can use IPAM on Server1 to manage DNS on DC1. 

What should you do? 

A. Modify the outbound firewall rules on Server1. 

B. Modify the inbound firewall rules on Server1. 

C. Add Server1 to the Remote Management Users group. 

D. Add Server1 to the Event Log Readers group. 

Answer: D 

Explanation: 

To access configuration data and server event logs, the IPAM server must be a member of the domain IPAM Users Group (IPAMUG). The IPAM server must also be a member of the Event Log Readers security group. 

Note: The computer account of the IPAM server must be a member of the Event Log Readers security group. 

Reference: Manually Configure DC and NPS Access Settings. http://technet.microsoft.com/en-us/library/jj878317.aspx http://technet.microsoft.com/en-us/library/jj878313.aspx


Q40. You deploy an Active Directory Federation Services (AD FS) 2.1 infrastructure. The infrastructure uses Active Directory as the attribute store. 

Some users report that they fail to authenticate to the AD FS infrastructure. 

You discover that only users who run third-party web browsers experience issues. 

You need to ensure that all of the users can authenticate to the AD FS infrastructure successfully. 

Which Windows PowerShell command should you run? 

A. Set-ADFSProperties -ProxyTrustTokenLifetime 1:00:00 

B. Set-ADFSProperties -AddProxyAuthenticationRules None 

C. Set-ADFSProperties -SSOLifetime 1:00:00 

D. Set-ADFSProperties -ExtendedProtectionTokenCheck None 

Answer: D 

Explanation: 

Explanation/Reference: Certain client browser software, such as Firefox, Chrome, and Safari, do not support the Extended Protection for Authentication capabilities that can be used across the Windows platform to protect against man-in-the-middle attacks. To prevent this type of attack from occurring over secure AD FS communications, AD FS 2.0 enforces (by default) that all communications use a channel binding token (CBT) to mitigate against this threat. 

Note: Disable the extended Protection for authentication To disable the Extended Protection for Authentication feature in AD FS 2.0 

. On a federation server, login using the Administrator account, open the Windows PowerShell command prompt, and then type the following command: Set-ADFSProperties –ExtendedProtectionTokenCheck None . Repeat this step on each federation server in the farm. 

Reference: Configuring Advanced Options for AD FS 2.0 


certleader.com

Download 70-412 bundle:

Q41. You have an Active Directory Rights Management Services (AD RMS) cluster. 

You need to prevent users from encrypting new content. The solution must ensure that the users can continue to decrypt content that was encrypted already. 

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) 

A. From the Active Directory Rights Management Services console, enable decommissioning. 

B. From the Active Directory Rights Management Services console, create a user exclusion policy. 

C. Modify the NTFS permissions of %systemdrive%\inetpub\wwwroot\_wmcs\licensing. 

D. Modify the NTFS permissions of %systemdrive%\inetpub\wwwroot\_wmcs\decommission. 

E. From the Active Directory Rights Management Services console, modify the rights policy templates. 

Answer: A,D 

Explanation: 

* Decommissioning refers to the entire process of removing the AD RMS cluster and its 

associated databases from an organization. This process allows you to save rights-

protected files as ordinary files before you remove AD RMS from your infrastructure so that 

you do not lose access to these files. 

Decommissioning an AD RMS cluster is achieved by doing the following: 

/ Enable the decommissioning service. (A) 

/ Modify permissions on the decommissioning pipeline. 

/ Configure the AD RMS-enabled application to use the decommissioning pipeline. 

* To modify the permissions on the decommissioning pipeline 

1. Log on to ADRMS-SRV as cpandl\administrator. 

2. Click Start, type %systemdrive%\inetpub\wwwroot\_wmcs in the Start Search box, and 

then press ENTER. 

3. Right-click the decommission folder, and then click Properties. 

4. Click the Security tab, click Edit, and then click Add. (D) 

Etc. 

Reference: Step 1: Decommission AD RMS Root Cluster 


Q42. HOTSPOT 

Your network contains one Active Directory forest named contoso.com and one Active Directory forest named adatum.com. Each forest contains a single domain. 

You have the domain controllers configured as shown in the following table. 


You perform the following three actions: 

Create a user named User1 on DC3. 

Create a file named File1.txt in the SYSVOL folder on DC1. 

Create a Group Policy object (GPO) named GPO1 on DC1 and link GPO1 to 

Site2. 

You need to identify on which domain controller or controllers each object is stored. 

What should you identify? To answer, select the appropriate options in the answer area. 


Answer: 



Q43. Your network contains two DNS servers named DNS1 and DNS2 that run Windows Server 2012 R2. 

DNS1 has a primary zone named contoso.com. DNS2 has a secondary copy of the contoso.com zone. 

You need to log the zone transfer packets sent between DNS1 and DNS2. 

What should you configure? 

A. Monitoring from DNS Manager 

B. Logging from Windows Firewall with Advanced Security 

C. A Data Collector Set (DCS) from Performance Monitor 

D. Debug logging from DNS Manager 

Answer: D 

Explanation: 

Debug logging allows you to log the packets sent and received by a DNS server. Debug logging is disabled by default, and because it is resource intensive, you should only activate it temporarily when you need more specific detailed information about server performance. 

Reference: Active Directory 2008: DNS Debug Logging Facts. 


Q44. Your network contains an Active Directory domain named contoso.com. 

A previous administrator implemented a Proof of Concept installation of Active Directory Rights Management Services (AD RMS) on a server named Server1. 

After the proof of concept was complete, the Active Directory Rights Management Services server role was removed. 

You attempt to deploy AD RMS. 

During the configuration of AD RMS, you receive an error message indicating that an existing AD RMS Service Connection Point (SCP) was found. 

You need to ensure that clients will only attempt to establish connections to the new AD RMS deployment. 

Which should you do? 

A. From DNS, remove the records for Server1. 

B. From DNS, increase the priority of the DNS records for the new deployment of AD RMS. 

C. From Active Directory, remove the computer object for Server1. 

D. From Active Directory, remove the SCP. 

Answer: D 

Explanation: The Active Directory Rights Management Services (AD RMS) Service Connection Point (SCP) is an object in Active Directory that holds the web address of the AD RMS certification cluster. AD RMS-enabled applications use the SCP to discover the AD RMS service; it is the first connection point for users to discover the AD RMS web services. 

Only one SCP can exist in your Active Directory forest. If you try to install AD RMS and an SCP already exists in your forest from a previous AD RMS installation that was not properly deprovisioned, the new SCP will not install properly. It must be removed before you can establish the new SCP. 

Reference: The AD RMS Service Connection Point 

http://social.technet.microsoft.com/wiki/contents/articles/710.the-ad-rms-service-connection-point.aspx 


Q45. Your network contains an Active Directory forest. The forest contains two domains named contoso.com and fabrikam.com. The functional level of the forest is Windows Server 2003. 

You have a domain outside the forest named adatum.com. 

You need to configure an access solution to meet the following requirements: 

* Users in adatum.com must be able to access resources in contoso.com. 

* Users in adatum.com must be prevented from accessing resources in fabrikam.com. 

* Users in both contoso.com and fabrikam.com must be prevented from accessing resources in adatum.com. 

What should you create? 

A. a one-way realm trust from contoso.com to adatum.com 

B. a one-way realm trust from adatum.com to contoso.com 

C. a one-way external trust from contoso.com to adatum.com 

D. a one-way external trust from adatum.com to contoso.com 

Answer: C 

Explanation: 

The contoso domain must trust the adatum domain. 

Note: In a One-way: incoming trust, users in your (trusted) domain can be authenticated in 

the other (trusting) domain. Users in the other domain cannot be authenticated in your 

domain. 

Incorrect: 

Not A, not B. Use realm trusts to form a trust relationship between a non-Windows 

Kerberos realm and a Windows Server domain. 

Not D. The resources that are to be shared are in the contoso domain. 

Reference: Trust types 



see more 70-412 dumps