Act now and download your Microsoft microsoft 70 413 test today! Do not waste time for the worthless Microsoft 70 413 exam tutorials. Download Latest Microsoft Designing and Implementing a Server Infrastructure exam with real questions and answers and begin to learn Microsoft microsoft 70 413 with a classic professional.
♥♥ 2021 NEW RECOMMEND ♥♥
Free VCE & PDF File for Microsoft 70-413 Real Exam (Full Version!)
★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions
Free Instant Download NEW 70-413 Exam Dumps (PDF & VCE):
Available on:
http://www.surepassexam.com/70-413-exam-dumps.html
Q81. - (Topic 8)
Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2008 R2. All domain controllers are installed on physical servers. The network contains several Hyper-V hosts.
The network contains a Microsoft System Center 2012 infrastructure.
You plan to use domain controller cloning to deploy several domain controllers that will run Windows Server 2012.
You need to recommend which changes must be made to the network infrastructure before you can use domain controller cloning.
What should you recommend?
A. Upgrade a global catalog server to Windows Server 2012. Deploy Virtual Machine Manager (VMM).
B. Upgrade a global catalog server to Windows Server 2012. Install the Windows Deployment Services server role on a server that runs Windows Server 2012.
C. Upgrade the domain controller that has the PDC emulator operations master role to Windows Server 2012. Deploy a Hyper-V host that runs Windows Server 2012.
D. Upgrade the domain controller that has the infrastructure master operations master role to Windows Server 2012. Install the Windows Deployment Services server role on a server that runs Windows Server 2012.
Answer: C
Explanation: The clone domain controller uses the security context of the source domain controller (the domain controller whose copy it represents) to contact the Windows Server 2012 Primary Domain Controller (PDC) emulator operations master role holder (also known as flexible single master operations, or FSMO). The PDC emulator must be running Windows Server 2012, but it does not have to be running on a hypervisor.
Reference: Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100)
Q82. - (Topic 8)
Your network contains an Active Directory domain named contoso.com. The domain contains three Active Directory sites. The Active Directory sites are configured as shown in the following table.
The sites connect to each other by using the site links shown in the following table. You need to design the Active Directory site topology to meet the following requirements:
. Ensure that all replication traffic between Site2 and Site3 replicates through Site1 if a domain controller in Site1 is available. . Ensure that the domain controllers between Site2 and Site3 can replicate if all of the domain controllers in Site1 are unavailable.
What should you do?
A. Delete Link2.
B. Disable site link bridging.
C. Delete Link3.
D. Create one site link bridge.
E. Modify the cost of Link2.
Answer: E
Q83. - (Topic 8)
Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. The forest functional level is Windows Server 2012.
Your company plans to deploy an application that will provide a search interface to users in the company. The application will query the global catalog for the Employee-Number attribute.
You need to recommend a solution to ensure that the application can retrieve the Employee-Number value from the global catalog.
What should you include in the recommendation?
A. the Dsmod command
B. the Ldifde command
C. the Enable-ADOptionalFeaturecmdlet
D. the Csvde command
Answer: B
Explanation: Ldifde Creates, modifies, and deletes directory objects. You can also use ldifde to extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory Domain Services (AD DS) with data from other directory services. Ldifde -l <LDAPAttributeList> Sets the list of attributes to return in the results of an export query. If you do not specify this parameter, the search returns all attributes.
Incorrect:
Not C:
Optional feature: A non-default behavior that modifies the Active Directory state model.
Q84. - (Topic 3)
You need to ensure that NAP meets the technical requirements.
Which role services should you install?
A. Network Policy Server, Health Registration Authority and Host Credential Authorization Protocol
B. Health Registration Authority, Host Credential Authorization Protocol and Online Responder
C. Certification Authority, Network Policy Server and Health Registration Authority
D. Online Responder, Certification Authority and Network Policy Server
Answer: C
Explanation:
* Scenario:
Implement Network Access Protection (NAP).
Ensure that NAP with IPSec enforcement can be configured.
* Health Registration Authority
Applies To: Windows Server 2008 R2, Windows Server 2012
Health Registration Authority (HRA) is a component of a Network Access Protection (NAP)
infrastructure that plays a central role in NAP Internet Protocol security (IPsec)
enforcement.
HRA obtains health certificates on behalf of NAP clients when they are compliant with
network health requirements. These health certificates authenticate NAP clients for IPsec-protected communications with other NAP clients on an intranet. If a NAP client does not
have a health certificate, the IPsec peer authentication fails and the NAP client cannot
initiate communication with other IPsec-protected computers on the network.
HRA is installed on a computer that is also running Network Policy Server (NPS) and
Internet
Information Services (IIS). If they are not already installed, these services will be added when you install HRA.
Reference: Health Registration Authority
Q85. - (Topic 8)
Your network contains an Active Directory domain named contoso.com. The domain contains three Active Directory sites. The Active Directory sites are configured as shown in the following table.
The sites connect to each other by using the site links shown in the following table.
Site link name Connected sites
You need to design the Active Directory site topology to meet the following requirements:
. Ensure that all replication traffic between Site2 and Site3 replicates through Site1 if a domain controller in Site1 is available.
. Ensure that the domain controllers between Site2 and Site3 can replicate if all of the domain controllers in Site1 are unavailable.
What should you do?
A. Delete Link1.
B. Delete Link2.
C. Delete Link3.
D. Disable site link bridging.
E. Create one site link bridge.
F. Modify the cost of Link2.
G. Create one SMTP site link between Site2 and Site3.
H. Create one SMTP site link between Site1 and Site3. Create one SMTP site link between Site1 and Site2.
Answer: F
Q86. - (Topic 8)
Your network contains an Active Directory domain named contoso.com. The domain contains multiple sites.
You plan to deploy DirectAccess.
The network security policy states that when client computers connect to the corporate
network from the Internet, all of the traffic destined for the Internet must be routed through
the corporate network.
You need to recommend a solution for the planned DirectAccess deployment that meets
the security policy requirement
Solution: You set the ISATAP State to state disabled.
Does this meet the goal?
A. Yes
B. No
Answer: A
Explanation: With NAT64 and DNS64, the DirectAccess server now has the ability to take those client IPv6 packets and spin them down into IPv4 packets, so you can simply leave your internal network all IPv4. So back in the beginning it was standard practice to enable ISATAP globally. Today, because of the known issues, it is recommended not to use ISATAP at all, unless you have a specific reason for needing it
Note: ISATAP defines a method for generating a link-local IPv6 address from an IPv4 address, and a mechanism to perform Neighbor Discovery on top of IPv4.
Reference: IS ISATAP REQUIRED FOR DIRECTACCESS?
Q87. - (Topic 8)
Your company has a main office.
The network contains an Active Directory domain named contoso.com. The main office contains a server named Server1 that runs Windows Server 2012. Server1 has the Remote Access server role installed and is configured to accept incoming SSTP-based VPN connections.
All client computers run Windows 7.
The company plans to open a temporary office that will contain a server named Server2 that runs
Windows Server 2012 and has the DHCP Server server role installed. The office will also have 50 client computers and an Internet connection.
You need to recommend a solution to provide the users in the temporary office with access to the resources in the main office.
What should you recommend?
More than one answer choice may achieve the goal. Select the BEST answer.
A. Use the Connection Manager Administration Kit (CMAK) to create a connection package that specifies Server1 as the target for SSTP-based VPN connections. Manually distribute the CMAK package to each client computer in the temporary office.
B. Install the Remote Access server role on Server2. From Routing and Remote Access on Server2, add a SSTP-based VPN port. From DHCP on Server2, configure the default gateway server option.
C. Uses the Connection Manager Administration Kit (CMAK) to create a connection package that specifies Server1 as the target for SSTP-based VPN connections. Use a Group Policy object (GPO) to distribute the CMAK package to each client computer in the temporary office.
D. Install the Remote Access server role on Server2. From Routing and Remote Access on Server2, configure a demand-dial interface. From DHCP on Server2, configure the default gateway server option.
Answer: B
Explanation:
* configure RRAS server role as a VPN server on a Windows server 2008 R2 machine. To do that, you need to first install the RRAS server role.
* in case of IPv4 the remote access client’s VPN configuration is the ONLY configuration that governs whether it has default IPv4 gateway towards VPN server or not
Reference: Remote Access Deployment – Part 2: Configuring RRAS as a VPN server
Q88. - (Topic 8)
You are designing an Active Directory forest for a company named Contoso, Ltd. Contoso identifies the following administration requirements for the design:
. User account administration and Group Policy administration will be performed by
network technicians. The technicians will be added to a group named OUAdmins.
. IT staff who are responsible for backing up servers will have user accounts that are members of the Backup Operators group in the domain.
. All user accounts will be located in an organizational unit (OU) named AllEmployees.
You run the Delegation of Control Wizard and assign the OUAdmins group full control to all of the objects in the AllEmployeesOU.
After delegating the required permissions, you discover that the user accounts of some of the IT staff have inconsistent permissions on the objects in AllEmployees.
You need to recommend a solution to ensure that the members of OUAdmins can manage all of the objects in AllEmployees.
What should you include in the recommendation?
A. Remove the IT staff user accounts from Backup Operators and place them in a new group. Grant the new group the Backup files and directories user right and the Restore files and directories user right. Enforce permission inheritance on all of the objects in the AllEmployeesOU.
B. Create separate administrator user accounts for the technicians. Enforce permission inheritance on all of the objects in the AllEmployeesOU. Delegate permissions to the new user accounts.
C. Enforce permission inheritance on all of the objects in the AllEmployeesOU. Run the Delegation of Control Wizard.
D. Move the user accounts of the technicians to a separate OU. Enforce permission inheritance on all of the objects in the AllEmployeesOU. Run the Delegation of Control Wizard on the AllEmployeesOU.
Answer: C
Q89. - (Topic 8)
Your network contains an Active Directory domain named contoso.com. The domain contains multiple sites.
You plan to deploy DirectAccess.
The network security policy states that when client computers connect to the corporate
network from the Internet, all of the traffic destined for the Internet must be routed through
the corporate network.
You need to recommend a solution for the planned DirectAccess deployment that meets
the security policy requirement.
Solution: You enable split tunneling.
Does this meet the goal?
A. Yes
B. No
Answer: A
Explanation: DirectAccess by default enables split tunneling. All traffic destined to the corpnet is sent over the DA IPsec tunnels, and all traffic destined for the Internet is sent directly to the Internet over the local interface. This prevents DA clients from bringing the corporate Internet connection to its knees.
is DA split tunneling really a problem? The answer is no.
Why? Because the risks that exist with VPNs, where the machine can act as a router between the Internet and the corporate network is not valid with DirectAccess. IPsec rules on the UAG server require that traffic be from an authenticated source, and all traffic between the DA client and server is protected with IPsec.
Thus, in the scenario where the DA client might be configured as a router, the source of the traffic isn’t going to be the DA client, and authentication will fail – hence preventing the type of routing that VPN admins are concerned about.
Reference: Why Split Tunneling is Not a Security Issue with DirectAccess
Q90. - (Topic 8)
Your network contains an Active Directory forest named contoso.com. The forest contains one domain.
Your company plans to open a new division named Division1. A group named Division1Admins will administer users and groups for Division1.
You identify the following requirements for Division1:
All Division1 users must have a complex password that is 14 characters.
Division1Admins must be able to manage the user accounts for Division1.
Division1Admins must be able to create groups, and then delete the groups that
they create.
Division1Admins must be able to reset user passwords and force a password
change at the next logon for all Division1 users.
You need to recommend changes to the forest to support the Division1 requirements.
What should you recommend?
More than one answer choice may achieve the goal. Select the BEST answer.
A. In the forest create a new organizational unit (OU) named Division1 and delegate permissions for the OU to the Division1Admins group. Move all of the Division1 user accounts to the new OU. Create a fine-grained password policy for the Division1 users.
B. Create a new child domain named divisionl.contoso.com. Move all of the Division1 user accounts to the new domain. Add the Division1Admin members to the Domain Admins group. Configure the password policy in a Group Policy object (GPO).
C. Create a new forest. Migrate all of the Division1 user objects to the new forest and add the Division1Admins members to the Enterprise Admins group. Configure the password policy in a Group Policy object (GPO).
D. In the forest create a new organizational unit (OU) named Division1 and add Division1Admins to the Managed By attribute of the new OU. Move the Division1 user objects to the new OU. Create a fine-grained password policy for the Division1 users.
Answer: A
