★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions

Free Instant Download NEW 70-411 Exam Dumps (PDF & VCE):
Available on: https://www.certleader.com/70-411-dumps.html


Q71. You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the File Server Resource Manager role service installed. 

Server1 has a folder named Folder1 that is used by the human resources department. 

You need to ensure that an email notification is sent immediately to the human resources manager when a user copies an audio file or a video file to Folder1. 

What should you configure on Server1? 

A. a storage report task 

B. a file screen exception 

C. a file screen 

D. a file group 

Answer:

Explanation: 

Create file screens to control the types of files that users can save, and generate notifications when users attempt to save unauthorized files. 

With File Server Resource Manager (FSRM) you can create file screens that prevent users 

from saving unauthorized files on volumes or folders. 

File Screen Enforcement: 

You can create file screens to prevent users from saving unauthorized files on volumes or 

folders. There are two types of file screen enforcement: active and passive enforcement. 

Active file screen enforcement does not allow the user to save an unauthorized file. 

Passive file screen enforcement allows the user to save the file, but notifies the user that 

the file is not an authorized file. You can configure notifications, such as events logged to 

the event log or e-mails sent to users and administrators, as part of active and passive file 

screen enforcement. 


Q72. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the Network Policy Server role service installed. 

You need to enable trace logging for Network Policy Server (NPS) on Server1. 

Which tool should you use? 

A. The tracert.exe command 

B. The Network Policy Server console 

C. The Server Manager console 

D. The netsh.exe command 

Answer:

Explanation: 

NPS trace logging files 

You can use log files on servers running Network Policy Server (NPS) and NAP client computers to help troubleshoot NAP problems. Log files can provide the detailed information required for troubleshooting complex problems. 

You can capture detailed information in log files on servers running NPS by enabling remote access tracing. The Remote Access service does not need to be installed or running to use remote access tracing. When you enable tracing on a server running NPS, several log files are created in %windir%\tracing. 

The following log files contain helpful information about NAP: 

IASNAP. LOG: Contains detailed information about NAP processes, NPS authentication, and NPS authorization. 

IASSAM. LOG: Contains detailed information about user authentication and authorization. 

Membership in the local Administrators group, or equivalent, is the minimum required to enable tracing. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http: //go. microsoft. com/fwlink/?LinkId=83477). 

To create tracing log files on a server running NPS 

Open a command line as an administrator. 

Type netshras set tr * en. 

Reproduce the scenario that you are troubleshooting. 

Type netshras set tr * dis. 

Close the command prompt window. 

Reference: http: //technet. microsoft. com/en-us/library/dd348461%28v=ws. 10%29. aspx 


Q73. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 P.2. Server1 has the Network Policy and Access Services server role installed. 

Your company's security policy requires that certificate-based authentication must be used by some network services. 

You need to identify which Network Policy Server (NPS) authentication methods comply with the security policy. 

Which two authentication methods should you identify? (Each correct answer presents part of the solution. Choose two.) 

A. MS-CHAP 

B. PEAP-MS-CHAP v2 

C. Chap 

D. EAP-TLS 

E. MS-CHAP v2 

Answer: B,D 

Explanation: 

PEAP is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication, and uses server-side public key certificates to authenticate the server. When you use EAP with a strong EAP type, such as TLS with smart cards or TLS with certificates, both the client and the server use certificates to verify their identities to each other. 


Q74. Your network contains an Active Directory domain named adatum.com. The domain contains a member server named Server1 and 10 web servers. All of the web servers are in an organizational unit (OU) named WebServers_OU. All of the servers run Windows Server 2012 R2. 

On Server1, you need to collect the error events from all of the web servers. The solution must ensure that when new web servers are added to WebServers_OU, their error events are collected automatically on Server1. 

What should you do? 

A. On Server1, create a source computer initiated subscription. From a Group Policy object (GPO), configure the Configure target Subscription Manager setting. 

B. On Server1, create a source computer initiated subscription. From a Group Policy object (GPO), configure the Configure forwarder resource usage setting. 

C. On Server1, create a collector initiated subscription. From a Group Policy object (GPO), configure the Configure forwarder resource usage setting. 

D. On Server1, create a collector initiated subscription. From a Group Policy object (GPO), configure the Configure target Subscription Manager setting. 

Answer:

Explanation: 

Source-initiated subscriptions allow you to define a subscription on an event collector computer without defining the event source computers, and then multiple remote event source computers can be set up (using a group policy setting) to forward events to the event collector computer. This differs from a collector initiated subscription because in the collector initiated subscription model, the event collector must define all the event sources in the event subscription. 

1. Run the following command from an elevated privilege command prompt on the 

Windows Server domain controller to configure Windows Remote Management: winrm qc –q. 

2. Start group policy by running the following command: %SYSTEMROOT%\System32\gpedit. msc. 

3. Under the Computer Configuration node, expand the Administrative Templates node, then expand the Windows Components node, then select the Event Forwarding node. 

4. Right-click the SubscriptionManager setting, and select Properties. Enable the SubscriptionManager setting, and click the Show button to add a server address to the setting. Add at least one setting that specifies the event collector computer. The SubscriptionManager Properties window contains an Explain tab that describes the syntax for the setting. 

5. After the SubscriptionManager setting has been added, run the following command to ensure the policy is applied: gpupdate /force. 

If you want to configure a source computer-initiated subscription, you need to configure the following group policies on the computers that will act as the event forwarders: 

* (A) Configure Target Subscription Manager This policy enables you to set the location of the collector computer. 


Q75. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1. Server1 is configured as a VPN server. 

You need to configure Server1 to perform network address translation (NAT). 

What should you do? 

A. From Network Connections, modify the Internet Protocol Version 4 (TCP/IPv4) setting of each network adapter. 

B. From Network Connections, modify the Internet Protocol Version 6 (TCP/IPv6) setting of each network adapter. 

C. From Routing and Remote Access, add an IPv6 routing protocol. 

D. From Routing and Remote Access, add an IPv4 routing protocol. 

Answer:

Explanation: 

To configure an existing RRAS server to support both VPN remote access and NAT routing: 

1. Open Server Manager. 

2. Expand Roles, and then expand Network Policy and Access Services. 

3. Right-click Routing and Remote Access, and then click Properties. 

4. Select IPv4 Remote access Server or IPv6 Remote access server, or both. 


Q76. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Network Policy Server role service installed. 

You plan to configure Server1 as a Network Access Protection (NAP) health policy server for VPN enforcement by using the Configure NAP wizard. 

You need to ensure that you can configure the VPN enforcement method on Server1 successfully. 

What should you install on Server1 before you run the Configure NAP wizard? 

A. A system health validator (SHV) 

B. The Host Credential Authorization Protocol (HCAP) 

C. A computer certificate 

D. The Remote Access server role 

Answer:

Explanation: 

Configure NAP enforcement for VPN 

This checklist provides the steps required to deploy computers with Routing and Remote 

Access Service installed and configured as VPN servers with Network Policy Server (NPS) and Network Access Protection (NAP). 


Q77. You have the following Windows PowerShell Output. 

You need to create a Managed Service Account. 

What should you do? 

A. Run New-ADServiceAccount –Name “service01” –DNSHostName service01.contoso.com –SAMAccountName service01. 

B. Run New-AuthenticationPolicySilo, and then run New-ADServiceAccount –Name “service01” –DNSHostName service01.contoso.com. 

C. Run Add-KDSRootKey, and then run New-ADServiceAccount –Name “service01” –DNSHostName service01.contoso.com. 

D. Run Set-KDSConfiguration, and then run New-ADServiceAccount –Name “service01” –DNSHostName service01.contoso.com. 

Answer:

Explanation: From the exhibit we see that the required key does not exist. First we create this key, then we create the managed service account. 

The Add-KdsRootKey cmdlet generates a new root key for the Microsoft Group Key Distribution Service (KdsSvc) within Active Directory (AD). The Microsoft Group KdsSvc generates new group keys from the new root key. 

The New-ADServiceAccount cmdlet creates a new Active Directory managed service account. 

Reference: New-ADServiceAccount 

https://technet.microsoft.com/en-us/library/hh852236(v=wps.630).aspx 

Reference: Add-KdsRootKey 

ttps://technet.microsoft.com/en-us/library/jj852117(v=wps.630).aspx 


Q78. HOTSPOT 

Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that has the Network Policy Server server role installed. The domain contains a server named Server2 that is configured for RADIUS accounting. 

Server1 is configured as a VPN server and is configured to forward authentication requests to Server2. 

You need to ensure that only Server2 contains event information about authentication requests from connections to Server1. 

Which two nodes should you configure from the Network Policy Server console? 

To answer, select the appropriate two nodes in the answer area. 

Answer: 


Q79. HOTSPOT 

Your network contains an Active Director domain named contoso.com. The domain contains a file server named Server1. All servers run Windows Server 2012 R2. 

You have two user accounts named User1 and User2. User1 and User2 are the members of a group named Group1. User1 has the Department value set to Accounting, user2 has the Department value set to Marketing. Both users have the Employee Type value set to Contract Employee. 

You create the auditing entry as shown in the exhibit. (Click the Exhibit button.) 

To answer, complete each statement according to the information presented in the exhibit. Each correct selection is worth one point. 

Answer: 


Q80. You have a server named Server1 that runs Windows Server 2012 R2. 

On Server1, you configure a custom Data Collector Set (DCS) named DCS1. DCS1 is configured to store performance log data in C:\Logs. 

You need to ensure that the contents of C:\Logs are deleted automatically when the folder reaches 100 MB in size. 

What should you configure? 

A. A File Server Resource Manager (FSRM) file screen on the C:\Logs folder 

B. The Data Manager settings of DCS1 

C. A schedule for DCS1 

D. A File Server Resource Manager (FSRM) quota on the C:\Logs folder 

Answer:

Explanation: 

To configure data management for a Data Collector Set 

1. In Windows Performance Monitor, expand Data Collector Sets and click User Defined. 

2. In the console pane, right-click the name of the Data Collector Set that you want to configure and click Data Manager. 

3. On the Data Manager tab, you can accept the default values or make changes according to your data retention policy. See the table below for details on each option. When Minimum free disk or Maximum folders is selected, previous data will be deleted according to the Resource policy you choose (Delete largest or Delete oldest) when the limit is reached. When Apply policy before the data collector set starts is selected, previous data will be deleted according to your selections before the data collector set creates its next log file. When Maximum root path size is selected, previous data will be deleted according to your selections when the root log folder size limit is reached. 

4. Click the Actions tab. You can accept the default values or make changes. See the table below for details on each option. 

5. When you have finished making your changes, click OK.