70-410 easy pass guide: Preparing for Microsoft 70-410 exam is really a tough task to accomplish. However, GreatExam delivers the most comprehensive braindumps, covering each and every aspect of 70-410 exam curriculum.
QUESTION 21
Your network contains three servers that run Windows Server 2012 R2.
The servers are configured as shown in the following table.
Server3 is configured to obtain an IP address automatically.
You need to prevent Server3 from receiving an IP address from Server1.
What should you create on Server1?
A. A reservation
B. A filter
C. A scope option
D. An exclusion
Answer: B
Explanation:
A. For clients that require a constant IP address
B. Filter to exclude MAC address of Server3
C. Range of allowed IP’s to be assigned
D. Exclude range of IP’s
MAC address based filtering ensure that only a known set of devices in the system are able to obtain an IPAddress from the DHCP
Reservation and Exclusion, two incredibly different concepts. An exclusion is an address or range of addresses taken from a DHCP scope that the DHCP server is notallowed to hand out. For example, if you have set a DHCP server to exclude the address range 192.168.0.1-192.168.0.10 then the only way a computer on your network would get an address of 192.168.0.4 would be ifyou assigned it statically on that machine. This is because DHCP knows NOT to give this range of IPaddresses out.
A reservation is a specific IP addresses that is tied to a certain device through its MAC address. Forexample, if we have a workstation on the network that requires a certain IP address, but we don’t want to gothrough to trouble of assigning it statically, then we can create a reservation for it. So if the MAC address of theNIC on the computer is AA-BB-00FF-CC-AA and we want it to maintain the IP address of 192.168.0.100 thenwe would create a DHCP reservation under that particular scope saying that the IP address 192.168.0.100
isreserved only for the MAC address AA-BB-00-FF-CC-AA.
http://technet.microsoft.com/en-us/magazine/ff521761.aspx
http://technet.microsoft.com/en-us/library/cc726954(v=ws.10).aspx http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/Network/DHC PReservationsandExclusions.html
QUESTION 22
Your network contains an Active Directory forest. The forest contains two domains named contoso.com and corp.contoso.com. The forest contains four domain controllers. The domain controllers are configured as shown in the following table.
All domain controllers are DNS servers. In the corp.contoso.com domain, you plan to deploy a new domain controller named DCS.
You need to identify which domain controller must be online to ensure that DCS can be promoted successfully to a domain controller.
Which domain controller should you identify?
A. DC1
B. DC2
C. DC3
D. DC4
Answer: C
Explanation:
A. Wrong Domain
B. Wrong Domain
C. Right domain, RID Master must be online
D. Right domain but Not needed to be online
Relative ID (RID) Master:
Allocates active and standby RID pools to replica domain controllers in the same domain. (corp.contoso.com) Must be online for newly promoted domain controllers to obtain a local RID pool that is required to advertise or when existing domain controllers have to update their current or standby RID pool allocation.
The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC’s allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain’s RID master. The domain RID master responds to the request by retrieving RIDs from the domain’s unallocated RID pool and assigns them to the pool of the requesting DC At any one time, there can be only one domain controller acting as the RID master in the domain.
http://support.microsoft.com/kb/223346
QUESTION 23
Your network contains an Active Directory domain named contoso.com.
You log on to a domain controller by using an account named Admin1.
Admin1 is a member of the Domain Admins group.
You view the properties of a group named Group1 as shown in the exhibit. (Click the Exhibit button.) Group1 is located in an organizational unit (OU) named OU1.
You need to ensure that users from Group1 can modify the Security settings of OU1 only.
What should you do from Active Directory Users and Computers?
A. Modify the Managed By settings on OU1.
B. Right-click contoso.com and select Delegate Control.
C. Right-click OU1 and select Delegate Control.
D. Modify the Security settings of Group1.
Answer: C
Explanation:
A. The distinguished name of the user that is assigned to manage this object.
B. Would delegate control to the whole domain
C. Delegates control to the OU OU1 only
D. Wrong Feature
An organizational unit is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority. A user can have administrative authority for all organizational units in a domain or for a single organizational unit.
You can delegate administrative control to any level of a domain tree by creating organizational units within a domain and delegating administrative control for specific organizational units to particular users or groups. Administrative control can be assigned to a user or group by using the Delegation of Control Wizard or through the Authorization Manager console.
Both of these tools allow you to assign rights or permissions to particular users or groups.
http://technet.microsoft.com/en-us/library/cc758565%28v=ws.10%29.aspx http://technet.microsoft.com/en-us/library/cc778807%28v=ws.10%29.aspx http://msdn.microsoft.com/en-us/library/windows/desktop/ms676857(v=vs.85).aspx http://technet.microsoft.com/en-us/library/cc732524.aspx
QUESTION 24
Your network contains an Active Directory forest named contoso.com.
All domain controllers currently run Windows Server 2008 R2.
You plan to install a new domain controller named DC4 that runs Windows Server 2012 R2.
The new domain controller will have the following configurations:
– Schema master
– Global catalog server
– DNS Server server role
– Active Directory Certificate Services server role
You need to identify which configurations Administrators by using the Active Directory Installation Wizard.
Which two configurations should you identify? (Each correct answer presents part of the solution. Choose two.)
A. Transfer the schema master.
B. Enable the global catalog server.
C. Install the DNS Server role
D. Install the Active Directory Certificate Services role.
Answer: AD
Explanation:
AD Installation Wizard will automatically install DNS and allows for the option to set it as a global catalog server. ADCS and schema must be done separately.
http://technet.microsoft.com/en-us/library/hh831457.aspx
QUESTION 25
Your network contains an Active Directory domain named contoso.com. The domain contains two domain controllers. The domain controllers are configured as shown in the following table.
In the perimeter network, you install a new server named Server1 that runs Windows Server 2012 R2. Server1 is in a workgroup.
You need to perform an offline domain join of Server1 to the contoso.com domain.
What should you do first?
A. Transfer the PDC emulator role to Dc1.
B. Run the djoin.exe command.
C. Run the dsadd.exe command.
D. Transfer the infrastructure master role to DC1.
Answer: B
Explanation:
A. Creates a new Active Directory computer.
B. Use djoin for offline join in the perimeter network
C. Adds specific types of objects to the directory.
D. Add the local computer to a domain or workgroup.
To perform an offline domain join, you run commands by using a new tool named Djoin.exe.
You use Djoin.exe to provision computer account data into AD DS.
You also use it to insert the computer account data intothe Windows directory of the destination computer, which is the computer that you want to join to the domain.
Create the account djoin /provision /domain winsrvtuts.wst /machine Win7 /savefile c:\yourFile.txt Run on the target systemdjoin /requestodj /loadfile c:\yourFile.txt /windowspath c:\Windows /localos
http://technet.microsoft.com/en-us/library/ee617245.aspx
http://technet.microsoft.com/en-us/library/ff793312(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc753708(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/hh849798.aspx
http://winsrvtuts.com/2011/08/off-line-domain-join-with-djoin-exe/
http://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step- bystep%28v=ws.10%29.aspx
QUESTION 26
Drag and Drop Question
Your network contains two Active Directory forests named adatum.com and contoso.com.
Both forests contain multiple domains. A two-way trust exists between the forests.
The contoso.com domain contains a domain local security group named Group1.
Group1 contains contoso\user1 and adatum\user1.
You need to ensure that Group1 can only contain users from the contoso.com domain.
Which three actions should you perform? To answer, move three actions from the list of actions to the answer area and arrange them in the correct order.
Answer:
Explanation:
Domain local Groups that are used to grant permissions within a single domain. Members of domain local groups can include only accounts (both user and computer accounts) and groups from thedomain in which they are defined.
———– to review………. Universal groups can only include objects from its own forest Groups can have — domain local, built-in local, global, and universal. That is, the groups have different areas in different scopes which they are valid.
A domain local group is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest. You can give domain local security groups rights and permissions on resources that reside only in the same domain where the domain local group is located. A global group is a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those locations, you can give a global group rights and permissions and the global group can become a member of local groups. However, a global group can contain user accounts that are only from its own domain. A universal group is a security or distribution group that contains users, groups, and computers from any domain in its forest as members.
You can give universal security groups rights and permissions on resources in any domain in the forest. Universal groups are not supported.
Domain local -Groups that are used to grant permissions within a single domain. Members of domain local groups can include only accounts (both user and computer accounts) and groups from the domain in which they are defined. Built-in local – Groups that have a special group scope that have domain local permissions and, for simplicity, are often referred to as domain local groups. The difference between built-in local groups and other groups is that built-in local groups can’t be created or deleted. You can only modify built-in local groups. References to domain local groups apply to built-in local groups unless otherwise noted. Global -Groups that are used to grant permissions to objects in any domain in the domain tree or forest. Members of global groups can include only accounts and groups from the domain in which they are defined. Universal – Groups that are used to grant permissions on a wide scale throughout a domain tree or forest. Members of global groups include accounts and groups from any domain in the domain tree or forest.
Global to universal. This conversion is allowed only if the group that you want to change is not a member of another global scope group. Domain local to universal. This conversion is allowed only if the group that you want to change does not have another domain local group as a member. Universal to global. This conversion is allowed only if the group that you want to change does not have another universal group as a member. Universal to domain local. There are no restrictions for this operation.
http://technet.microsoft.com/en-us/library/bb726978.aspx
http://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx
QUESTION 27
Your network contains an Active Directory domain named contoso.com.
You discover that when you join client computers to the domain manually, the computer accounts are created in the Computers container.
You need to ensure that new computer accounts are created automatically in an organizational unit (OU) named Corp.
Which tool should you use?
A. net.exe
B. redircmp.exe
C. regedit.exe
D. dsadd.exe
Answer: B
Explanation:
A. Used to stop/start protocols
B. Redirects the default container for newly created computers to a specified, target organizational unit
C. Modify local registry entries
D. Adds specific types of objects to the directory
Redirects the default container for newly created computers to a specified, target organizational unit (OU) so that newly created computer objects are created in the specific target OU instead of in CN=Computers.
You must run the redircmp command from an elevated command prompt.
Redircmp.exe is located in the C:\Windows\System32 folder.
You must be a member of the Domain Admins group or the Enterprise Admins group to use this tool.
http://technet.microsoft.com/en-us/library/bb490949.aspx
http://technet.microsoft.com/en-us/library/cc770619(v=ws.10).aspx http://technet.microsoft.com/en-us/library/cc753708(v=ws.10).aspx
QUESTION 28
You have a server named Server2 that runs Windows Server 2012 R2. Server2 has the Hyper-V server role installed. The disks on Server2 are configured as shown in the exhibit. (Click the Exhibit button.)
You create a virtual machine on Server2 named VM1.
You need to ensure that you can configure a pass-through disk for VM1.
What should you do?
A. Convert Disk 1 to a basic disk.
B. Take Disk 1 offline.
C. Create a partition on Disk 1.
D. Convert Disk 1 to a MBR disk.
Answer: B
Explanation:
http://blogs.technet.com/b/askcore/archive/2008/10/24/configuring-pass-through-disks- inhyperv.aspx
Pass-through Disk Configuration
Hyper-V allows virtual machines to access storage mapped directly to the Hyper-V server without requiring the volume be configured. The storage can either be a physical disk internal to the Hyper-V server or it can be a Storage Area Network (SAN) Logical Unit (LUN) mapped to the Hyper-V server. To ensure the Guest has exclusive access to the storage, it must be placed in an Offline state from the Hyper-V server perspective
QUESTION 29
You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the Hyper-V server role installed. Server1 is connected to two Fibre Channel SANs and is configured as shown in the following table.
You have a virtual machine named VM1.
You need to configure VM1 to connect to SAN1.
What should you do first?
A. Add one HBA
B. Create a Virtual Fibre Channel SAN.
C. Create a Hyper-V virtual switch.
D. Configure network adapter teaming.
Answer: B
Explanation:
You need your virtualized workloads to connect easily and reliably to your existing storage arrays. WindowsServer 2012 provides Fibre Channel ports within the guest operating system, which allows you toconnect to Fibre Channel directly from within virtual machines. This feature protects your investments inFibre Channel, enables you to virtualize workloads that use direct access to Fibre Channel storage, allows youto cluster guest operating systems over Fibre Channel, and provides an important new storage option forservers hosted in your virtualization infrastructure.
With this Hyper-V virtual Fibre Channel feature, you can connect to Fibre Channel storage from within a virtualmachine. This allows you to use your existing Fibre Channel investments to support virtualized workloads.
Support for Fibre Channel in Hyper-V guests also includes support for many related features, such as virtualSANs, live migration, and MPIO.
http://technet.microsoft.com/en-us/library/hh831413.aspx
QUESTION 30
You work as a senior administrator at L2P.com. The L2P.com network consists of a single domain named L2P.com. All servers on the L2P.com network have Windows Server 2012 installed, and all workstations have Windows 8 installed.
You are running a training exercise for junior administrators.
You are currently discussing the Always Offline Mode.
Which of the following is TRUE with regards to the Always Offline Mode? (Choose all that apply.)
A. It allows for swifter access to cached files and redirected folders.
B. To enable Always Offline Mode, you have to satisfy the forest and domain functional-level requirements,
as well as schema requirements.
C. It allows for lower bandwidth usage due to users are always working offline.
D. To enable Always Offline Mode, you must have workstations running Windows 7 or Windows
Server 2008 R2.
Answer: AC
Explanation:
Offline Files have four modes of operation:
Online
Slow link
Auto offline
Manual offline
Offline Files transition between the three modes online, slow link and auto offline depending on connection speed. The user can always override the automatic mode selection by manually switching to manual offline mode.
To determine the connection speed two pings with default packet size are sent to the file server. If the average round-trip time is below 80 ms (Windows 7) or 35 ms (Windows 8), the connection is put into online mode, otherwise into slow link mode. The latency value of 35/80 ms is configurable through the Group Policy setting Configure slow-link mode.
Reads, Writes and Synchronization
In online mode, changes to files are made on the file server as well as in the local cache (this induces a performance hit – see this article for details). Reads are satisfied from the local cache (if in sync).
In slow link mode, changes to files are made in the local cache. The local cache is background-synchronized with the file server every 6 hours (Windows 7) or 2 hours (Windows 8), by default. This can be changed through the Group Policy setting Configure Background Sync. . In auto offline mode, all reads and writes go to the local cache. No synchronization occurs. . In manual offline mode, all reads and writes go to the local cache. No synchronization occurs by default, but background synchronization can be enabled through the Group Policy setting Configure
Background Sync.
http://technet.microsoft.com/en-us/library/hh968298.aspx
http://helgeklein.com/blog/2012/04/windows-7-offline-files-survival-guide/
QUESTION 31
Your network contains an Active Directory domain named contoso.com.
The domain contains a domain controller named DC1 that runs Windows Server 2012 R2.
You need to configure a central store for the Group Policy Administrative Templates.
What should you do on DC1?
A. From Server Manager, create a storage pool.
B. From Windows Explorer, copy the PolicyDefinitions folder to the SYSVOL\contoso.com\policies folder.
C. From Server Manager, add the Group Policy Management feature
D. From Windows Explorer, copy the PolicyDefinitions folder to the NETLOGON share.
Answer: B
Explanation:
A. Create Disk Storage Pool
B. PolicyDefinitions folder in SYSVOL
C. Group Policy Management is a console for GPO Mgmt
D. Folder is for logon scripts
PolicyDefinitions folder within the SYSVOL folder hierarchy. By placing the ADMX files in this directory,they are replicated to every DC in the domain; by extension, the ADMX-aware Group Policy ManagementConsole in Windows Vista, Windows 7, Windows Server 2008 and R2 can check this folder as an additionalsource of ADMX files, and will report them accordingly when setting your policies.
By default, the folder is not created. Whether you are a single DC or several thousand, I would stronglyrecommend you create a Central Store and start using it for all your ADMX file storage. It really does work well.
The Central Store To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder ona domain controller. The Central Store is a file location that is checked by the Group Policy tools. The GroupPolicy tools use any .admx files that are in the Central Store. The files that are in the Central Store are laterreplicated to all domain controllers in the domain. To create a Central Store for .admx and .adml files, create a folder that is named PolicyDefinitions in thefollowing location:
\\FQDN\SYSVOL\FQDN\policies
Note: FQDN is a fully qualified domain name.
http://tigermatt.wordpress.com/tag/policydefinitions/
http://support.microsoft.com/kb/929841/en-us
http://www.virtuallyimpossible.co.uk/how-to-create-a-group-policy-central-store/ http://support.microsoft.com/kb/2741591/en-us
QUESTION 32
You install Windows Server 2012 R2 on a standalone server named Server1.
You configure Server1 as a VPN server.
You need to ensure that client computers can establish PPTP connections to Server1.
Which two firewall rules should you create? (Each correct answer presents part of the solution. Choose two.)
A. An inbound rule for protocol 47
B. An outbound rule for protocol 47
C. An inbound rule for TCP port 1723
D. An inbound rule for TCP port 1701
E. An outbound rule for TCP port 1723
F. An outbound rule for TCP port 1701
Answer: AC
Explanation:
To enable VPN tunnels between individual host computers or entire networks that have a firewall between them, you must open the following ports:
PPTP
To allow PPTP tunnel maintenance traffic, open TCP 1723. To allow PPTP tunneled data to pass through router, open Protocol ID 47. http://www.windowsitpro.com/article/pptp/which-ports-do-you-need-to-open-on-a-firewall-to- allow-pptp-andl2tp-over-ipsec-vpn-tunnels–46811
If you use a personal firewall or a broadband router, or if there are routers or firewalls between the VPN client and the VPN server, the following ports and protocol must be enabled for PPTP on all firewalls and routers that are between the VPN client and the VPN server:
Client ports Server port Protocol
1024-65535/TCP 1723/TCP PPTP
Additionally, you must enable IP PROTOCOL 47 (GRE).
http://support.microsoft.com/kb/314076/en-us
QUESTION 33
Your network contains an Active Directory domain named adatum.com. The computer accounts for all member servers are located in an organizational unit (OU) named Servers.
You link a Group Policy object (GPO) to the Servers OU.
You need to ensure that the domain’s Backup Operators group is a member of the local Backup Operators group on each member server.
The solution must not remove any groups from the local Backup Operators groups.
What should you do?
A. Add a restricted group named adatum\Backup Operators.
Add Backup Operators to the This group is a member of list.
B. Add a restricted group named adatum\Backup Operators.
Add Backup Operators to the Members of this group list.
C. Add a restricted group named Backup Operators.
Add adatum\Backup Operators to the This group is a member of list.
D. Add a restricted group named Backup Operators.
Add adatum\Backup Operators to the Members of this group list.
Answer: A
Explanation:
A. The Member Of list specifies which other groups the restricted group should belong to
B. Needs to be added to member of list
C. Wrong group
D. Wrong group
Restricted groups allow an administrator to define two properties for security-sensitive groups (that is,”restricted” groups).
The two properties are Members and Member Of . The Members list defines who should and should not belongto the restricted group. The Member Of list specifies which other groups the restricted group should belong to.
When a restricted Group Policy is enforced, any current member of a restricted group that is not on theMembers list is removed. Any user on the Members list which is not currently a member of the restrictedgroup is added.
The Restricted Groups folder is available only in Group Policy objects associated with domains, OUs,and sites. The Restricted Groups folder does not appear in the Local Computer Policy object. If a Restricted Group is defined such that it has no members (that is, the Members list is empty), then allmembers of the group are removed when the policy is enforced on the system. If the Member Of list is emptyno changes are made to any groups that the restricted group belongs to. In short, an empty Members listmeans the restricted group should have no members while an empty Member Of list means “don’t care” whatgroups the restricted group belongs to.
http://technet.microsoft.com/en-us/library/cc957640.aspx
QUESTION 34
Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2. An application named Appl.exe is installed on all client computers. Multiple versions of Appl.exe are installed on different client computers. Appl.exe is digitally signed.
You need to ensure that only the latest version of Appl.exe can run on the client computers.
What should you create?
A. An application control policy packaged app rule
B. A software restriction policy certificate rule
C. An application control policy Windows Installer rule
D. An application control policy executable rule
Answer: D
Explanation:
A. A publisher rule for a Packaged app is based on publisher, name and version
B. You can create a certificate rule that identifies software and then allows or does not allow the software torun, depending on the security level.
C. For .msi or .msp
D. Executable Rules, for .exe and can be based on Publisher, Product name, filename and version. Use Certificate Rules on Windows Executables for Software Restriction Policies This security setting determines if digital certificates are processed when a user or process attempts to runsoftware with an .exe file name extension. This security settings is used to enable or disable certificate rules, atype of software restriction policies rule. With software restriction policies, you can create a certificate rule thatwill allow or disallow software that is signed by Authenticode to run, based on the digital certificate that isassociated with the software. In order for certificate rules to take effect, you must enable this security setting. When certificate rules are enabled, software restriction policies will check a certificate revocation list (CRL) tomake sure the software’s certificate and signature are valid. This may decrease performance when start signedprograms. You can disable this feature. On Trusted Publishers Properties, clear the Publisher and Timestampcheck boxes.
http://technet.microsoft.com/en-us/library/dd759068.aspx
http://technet.microsoft.com/en-us/library/hh994588.aspx http://www.grouppolicy.biz/2012/08/how-manage-published-a-k-a-metro-apps-in-windows8-using- grouppolicy/
http://technet.microsoft.com/en-us/library/hh994597.aspx#BKMK_Cert_Rules http://technet.microsoft.com/en-us/library/cc782660%28v=ws.10%29.aspx
QUESTION 35
Your network contains an Active Directory domain named contoso.com.
All domain controllers run Windows Server 2012 R2.
You need to ensure that the local Administrator account on all computers is renamed to L_Admin. Which Group Policy settings should you modify?
A. Security Options
B. User Rights Assignment
C. Restricted Groups
D. Preferences
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc747484(v=ws.10).aspx
GreatExam provides guarantee of Microsoft 70-410 exam because GreatExam is an authenticated IT certifications site. The 70-410 study guide is updated with regular basis and the answers are rechecked of every exam. Good luck in your exam.