70-417 easy pass guide: Preparing for Microsoft 70-417 exam is really a tough task to accomplish. However, GreatExam delivers the most comprehensive braindumps, covering each and every aspect of 70-417 exam curriculum.
QUESTION 201
Your network contains an Active Directory domain named contoso.com. The domain contains two domain controllers. The domain controllers are configured as shown in the following table.
In the perimeter network, you install a new server named Server1 that runs Windows Server 2012 R2. Server1 is in a workgroup.
You need to perform an offline domain join of Server1 to the contoso.com domain.
What should you do first?
A. Run the djoin.exe command.
B. Run the dsadd.exe command.
C. Transfer the PDC emulator role to DC1.
D. Transfer the infrastructure master role to DC1.
Answer: A
Explanation:
There do not appear to be any requirements on operations master roles for this specific requirement.
Moreover, ODJ is available on both 2008R2 and 2012 and if there was to deal with a FSMO, RID would be concerned as it’s needed to create an AD object (in this case, creating the computer account)
QUESTION 202
Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2008 R2. One of the domain controllers is named DC1.
The network contains a member server named Server1 that runs Windows Server 8.
You need to promote Server1 to a domain controller by using install from media (IFM).
What should you do first?
A. Create a system state backup of DC1.
B. Run the Active Directory Domain Services Installation Wizard on DC1.
C. Run the Active Directory Domain Services Configuration Wizard on Server1.
D. Create IFM media on DC1.
E. Upgrade DC1 to Windows Server 2012 R2.
Answer: E
Explanation:
http://technet.microsoft.com/en-us/library/cc770654(v=ws.10).aspx
QUESTION 203
You have a server named Server1 that runs Windows Server 2012 R2. On Server1, you configure a custom Data Collector Set (DCS) named DCS1.
You need to ensure that all performance log data that is older than 30 days is deleted automatically.
What should you configure?
A. A File Server Resource Manager (FSRM) file screen on the %Systemdrive%\PerfLogs folder
B. The Data Manager settings of DCS1
C. A schedule for DCS1
D. A File Server Resource Manager (FSRM) quota on the %Systemdrive%\PerfLogs folder
Answer: B
QUESTION 204
Your network contains a single Active Directory domain named contoso.com. The domain contains a member server named Server1 that runs Windows Server 2012 R2. Server1 has the Windows Server Updates Services server role installed and is configured to download updates from the Microsoft Update servers.
You need to ensure that Server1 downloads express installation files from the Microsoft Update servers.
What should you do from the Update Services console?
A. From the Products and Classifications options, configure the Products settings.
B. From the Products and Classifications options, configure the Classifications settings.
C. From the Update Files and Languages options, configure the Update Files settings.
D. From the Automatic Approvals options, configure the Update Rules settings.
Answer: C
QUESTION 205
Your network contains a domain controller named DC1 that runs Windows Server 2012 R2.
You create a custom Data Collector Set (DCS) named DCS1.
You need to configure DCS1 to collect the following information:
– The amount of Active Directory data replicated between DC1 and the other domain controllers
– The current values of several registry settings.
Which two should you configure in DCS1? (Each correct answer presents part of the solution. Choose two.)
A. System configuration information
B. A Performance Counter Alert
C. Event trace data
D. A performance counter
Answer: AD
QUESTION 206
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1. On DC1, you add a new volume and you stop the Active Directory Domain Services (AD DS) service.
You run ntdsutil.exe and you set NTDS as the active instance.
You need to move the Active Directory database to the new volume.
Which Ntdsutil context should you use?
A. Files
B. IFM
C. Configurable Settings
D. Partition management
Answer: A
QUESTION 207
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1.
You run ntdsutil as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that you can access the contents of the mounted snapshot.
What should you do?
A. From the snapshot context of ntdsutil, run activate instance “NTDS”.
B. From a command prompt, run dsamain.exe -dbpathc:\$snap_201204131056_volumec$\windows\ntds\ntds.dit Idapport 389.
C. From the snapshot context of ntdsutil, run mount {79f94f82-5926-4f44-8af02f56d827a57d}.
D. From a command prompt, run dsamain.exe -dbpathc:\$snap_201204131056_volumec$\windows\ntds\ntds.ditIdapport 33389.
Answer: D
Explanation:
This is a live DC, so 389 is already in use; 33389 would not be so is a valid port.
http://technet.microsoft.com/en-us/library/cc753609(v=ws.10).aspx
QUESTION 208
Your network contains an Active Directory domain named contoso.com.
All domain controllers run Windows Server 2012 R2.
You pre-create a read-only domain controller (RODC) account named RODC1.
You export the settings of RODC1 to a file named File1.txt.
You need to promote RODC1 by using File1.txt.
Which tool should you use?
A. The Install-WindowsFeaturecmdlet
B. The Add-WindowsFeaturecmdlet
C. TheDism command
D. TheDcpromo command
E. The Install-ADDSDomainControllercmdlet
Answer: D
Explanation:
DCPromo is gone, HOWEVER, it is still used for unattend installations using unattended files. This allows administrators the chance to get used to using powershell commands instead of the unattended file.
http://technet.microsoft.com/en-us/library/hh472162.aspx
NB: http://technet.microsoft.com/en-us/library/jj205467.aspx Install-WindowsFeature
Installs one or more Windows Server roles, role services, or features on either the local or a specified remote server that is running Windows Server 2012 R2. This cmdlet is equivalent to and replaces Add- WindowsFeature, the cmdlet that was used to install roles, role services, and features in Windows Server 2008 R2. So the 2 first answers are the same and we only have one choice here…
QUESTION 209
Your network contains an Active Directory domain named contoso.com. Domain controllers run either Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 R2.
You have a Password Settings object (PSOs) named PSO1.
You need to view the settings of PSO1.
Which tool should you use?
A. Get-ADDomainControllerPasswordReplicationPolicy
B. Get-ADDefaultDomainPasswordPolicy
C. Server Manager
D. Get-ADFineGrainedPasswordPolicy
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/ee617231.aspx
QUESTION 210
Your network contains an Active Directory domain named contoso.com.
The domain contains a domain controller named DC4 that runs Windows Server 2012 R2.
You create a DCCIoneConfig.xml file.
You need to clone DC4.
Where should you place DCCIoneConfig.xml on DC4?
A. %Systemroot%\SYSVOL
B. %Systemdrive%
C. %Systemroot%\NTDS
D. %Programdata%\Microsoft
Answer: C
Explanation:
http://technet.microsoft.com/de-de/library/hh831734.aspx
QUESTION 211
Your network contains an Active Directory domain named contoso.com.
The domain contains two member servers named Server1 and Server2.
You install the DHCP Server server role on Server1 and Server2.
You install the IP Address Management (IPAM) Server feature on Server1.
You notice that you cannot discover Server1 or Server2 in IPAM.
You need to ensure that you can use IPAM to discover the DHCP infrastructure.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A. On Server2, run the Add-DhcpServerInDc cmdlet
B. On Server1, uninstall the DHCP Server server role.
C. On Server1, run the Add-IpamServerInventory cmdlet.
D. On both Server1 and Server2, run the Add-DhcpServerv4Policy cmdlet.
E. On Server2, create an IPv4 scope.
Answer: AB
Explanation:
Problem: A DHCP server is not discovered.
Solution: Verify that the DHCP server role is not installed on the IPAM server. Verify that at least one IPv4 scope is configured on a DHCP server, and that the IPAM server has a TCP/IP connection to the DHCP server. Also verify that DHCP INFORM request messages sent by IPAM server are not filtered on the network.
http://technet.microsoft.com/en-us/library/jj878309.aspx
QUESTION 212
Hotspot Question
You have a server named Server1 that has the Network Policy and Access Services server role installed.
You plan to configure Network Policy Server (NPS) on Server1 to use certificate-based authentication for VPN connections.
You obtain a certificate for NPS.
You need to ensure that NPS can perform certificate-based authentication.
To which store should you import the certificate? To answer, select the appropriate store in the answer area.
Answer:
QUESTION 213
Your network contains an Active Directory domain named contoso.com.
The domain contains a server named Server1 that runs Windows Server 2012 R2.
Server1 has the Network Policy Server role service installed.
You plan to configure Server1 as a Network Access Protection (NAP) health policy server for VPN enforcement by using the Configure NAP wizard.
You need to ensure that you can configure the VPN enforcement method on Server1 successfully.
What should you install on Server1 before you run the Configure NAP wizard?
A. The Remote Access server role
B. A system health validator (SHV)
C. A computer certificate
D. The Host Credential Authorization Protocol (HCAP)
Answer: C
Explanation:
http://technet.microsoft.com/fr-fr/library/dd314165%28v=ws.10%29.aspx
Configure Policies for VPN Enforcement The NAP health policy server uses the Network Policy Server (NPS) role service with configured network policies, health policies, and system health validators (SHVs) to evaluate client health based on administratordefined requirements. Based on the results of this evaluation, NPS instructs the virtual private network (VPN) server to provide full access to compliant NAP client computers and to restrict access to noncompliant client computers when NAP is deployed using full enforcement mode.
Remarque
Before performing this procedure, you must install a certificate for Protected Extensible Authentication Protocol (PEAP) authentication. For more information, see Install a Computer Certificate for PEAP.
You cannot continue without a valid certificate:
QUESTION 214
Your network contains an Active Directory domain named adatum.com.
The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 is configured as a Network Policy Server (NPS) server and as a DHCP server.
The network contains two subnets named Subnet1 and Subnet2. Server1 has a DHCP scope for each subnet.
You need to ensure that noncompliant computers on Subnet1 receive different network policies than noncompliant computers on Subnet2.
Which two settings should you configure? (Each correct answer presents part of the solution.
Choose two.)
A. The NAS Port Type constraints
B. The Health Policies conditions
C. The Called Station ID constraints
D. The NAP-Capable Computers conditions
E. The MS-Service Class conditions
Answer: BE
Explanation:
The network contains two subnets named Subnet1 and Subnet2. Server1 has a DHCP
scope for each subnet.
The MS-Service Class conditions can be used to identify DHCP scope, i.e subnet,
The MS-Service Class = DHCP > Network access protection tab > Use custom profile > Profile Name
You need to create health policy :
Noncompliant health policy for NonCompliant computers.
At first, you need to create health policy for noncompliant computers :
Right-click Health Policies, and then click New.
On the Create New Health Policy dialog box, under Policy Name, type Noncompliant.
Under Client SHV checks, select Client fails one or more SHV checks.
Under SHVs used in this health policy, select the Windows Security Health Validator check box, and then click OK.
More info : https://technet.microsoft.com/en-us/library/dd441008.aspx
Than you can create two network policies based on those two health policies and MS-Service Class conditions
Network policy 1 = MS-Service Class (Profile name) for subnet1 + Health policy for NonCompliant computers.
Network policy 2 = MS-Service Class (Profile name) for subnet2 + Health policy for NonCompliant computers.
Network policy :
Network policy > Conditions tab > Health policy condition + MS-service class condition.
In the NPS management console, in the tree, right-click Network Policies, and then click New.
In the Specify Network Policy Name and Connection Type window, in the Policy name box, type Noncompliant, and then click Next.
In the Specify Conditions window, click Add.
On the Select condition dialog box, double-click Health Polices.
On the Health Policies dialog box, under Health policies, select Noncompliant, and then click OK.
In the Specify Conditions window, under Conditions, verify that Health Policy is specified with a value of Noncompliant, and then click Next.
If you want to configure the MS-Service Class condition, click MS-Service Class, and then click Add. In Specify the profile name that identifies your DHCP scope,
type the name of an existing DHCP profile, and then click Add.
QUESTION 215
Hotspot Question
Your network contains an Active Directory domain named fabrikam.com.
You implement DirectAccess and an IKEv2 VPN.
You need to view the properties of the VPN connection.
Which connection properties should you view? To answer, select the appropriate connection properties in the answer area.
Answer:
QUESTION 216
Your network contains an Active Directory domain named contoso.com.
All client computers run Windows 8.
Your company has users who work from home. Some of the home users have desktop computers. Other home users have laptop computers. All of the computers are joined to the domain. All of the computer accounts are members of a group named Group1.
Currently, the home users access the corporate network by using a PPTP VPN.
You implement DirectAccess by using the default configuration and you specify Group1 as the DirectAccess client group. The home users who have desktop computers report that they cannot use DirectAccess to access the corporate network. The home users who have laptop computers report that they can use DirectAccess to access the corporate network.
You need to ensure that the home users who have desktop computers can access the network by using DirectAccess.
What should you modify?
A. The WMI filter for Direct Access Client Settings GPO
B. The conditions of the Connections to Microsoft Routing and Remote Access server policy
C. The membership of the RAS and IAS Servers group
D. The security settings of the computer accounts for the desktop computers
Answer: A
Explanation:
The default settings includes creating a GPO that has a WMI filter for laptops only.
QUESTION 217
Your network contains an Active Directory forest. The forest contains two domains named contoso.com and fabrikam.com. All of the DNS servers in both of the domains run Windows Server 2012 R2. The network contains two servers named Server1 and Server2. Server1 hosts an Active Directory-integrated zone for contoso.com. Server2 hosts an Active Directory-integrated zone for fabrikam.com. Server1 and Server2 connect to each other by using a WAN link. Client computers that connect to Server1 for name resolution cannot resolve names in fabrikam.com. You need to configure Server1 to support the resolution of names in fabrikam.com. The solution must ensure that users in contoso.com can resolve names in fabrikam.com if the WAN link fails. What should you do on Server1?
A. Create a stub zone.
B. Create a secondary zone.
C. Add a forwarder.
D. Create a conditional forwarder.
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc771898(v=ws.10).aspx
Stub zone doesn’t host the records themselves
Forwarder and conditional forwarders simply give instructions on where to forward DNS requests to.
QUESTION 218
Your network contains an Active Directory domain named contoso.com. The domain contains a Web server named www.contoso.com. The Web server is available on the Internet.
You implement DirectAccess by using the default configuration.
You need to ensure that users never attempt to connect to www.contoso.com by using DirectAccess. The solution must not prevent the users from using DirectAccess to access other resources in contoso.com.
Which settings should you configure in a Group Policy object (GPO)?
A. Network Connections
B. DirectAccess Client Experience Settings
C. DNS Client
D. Name Resolution Policy
Answer: D
Explanation:
http://www.techrepublic.com/blog/10things/10-things-you-should-know-aboutdirectaccess/1371
Notice this could have been Network connection:
BUT “The solution must not prevent the users from using DirectAccess to access other resources in contoso.com”
QUESTION 219
Your network contains an Active Directory domain named contoso.com. The domain contains more than 100 Group Policy objects (GPOs). Currently, there are no enforced GPOs. The domain contains a top-level organizational unit (OU) for each department.
A group named Group1 contains members from each department.
You have a GPO named GPO1 that is linked to the domain.
You need to configure GPO1 to Apply settings to Group1 only.
What should you use?
A. Dcgpofix
B. Get-GPOReport
C. Gpfixup
D. Gpresult
E. Gptedit.msc
F. Import-GPO
G. Restore-GPO
H. Set-GPInheritance
I. Set-GPLink
J. Set-GPPermission
K. Gpupdate
L. Add-ADGroupMember
Answer: J
Explanation:
http://technet.microsoft.com/en-us/library/ee461038.aspx
QUESTION 220
Your network contains an Active Directory domain named contoso.com. The domain contains more than 100 Group Policy objects (GPOs). Currently, there are no enforced GPOs.
You need to prevent all of the GPOs at the site level and at the domain level from being Applied to users and computers in an organizational unit (OU) named OU1.
You want to achieve this goal by using the minimum amount of administrative effort.
What should you use?
A. Dcgpofix
B. Get-GPOReport
C. Gpfixup
D. Gpresult
E. Gptedit.msc
F. Import-GPO
G. Restore-GPO
H. Set-GPInheritance
I. Set-GPLink
J. Set-GPPermission
K. Gpupdate
L. Add-ADGroupMember
Answer: H
Explanation:
http://technet.microsoft.com/en-us/library/ee461032.aspx
GreatExam provides guarantee of Microsoft 70-417 exam because GreatExam is an authenticated IT certifications site. The 70-417 study guide is updated with regular basis and the answers are rechecked of every exam. Good luck in your exam.