70-410: Installing and Configuring Windows Server 2012

Your network contains an Active Directory domain named contoso.com. You have a Group Policy object (GPO) named GP1 that is linked to the domain. GP1 contains a software restriction policy that blocks an application named App1.

You have a workgroup computer named Computer1 that runs Windows 8. A local Group Policy on Computer1 contains an application control policy that allows App1.

You join Computer1 to the domain.

You need to prevent App1 from running on Computer1.

What should you do?

From Computer1, run gpupdate/force.
From Group Policy Management, add an application control policy to GP1.
From Group Policy Management, enable the Enforced option on GP1.
In the local Group Policy of Computer1, configure a software restriction policy.

Correct answer: B

Explanation:

AppLocker policies take precedence over policies generated by SRP on computers that are running an operating system that supports AppLocker. AppLocker policies in the GPO are applied, and they supersede the policies generated by SRP in the GPO and local AppLocker policies or policies generated by SRP.

AppLocker policies take precedence over policies generated by SRP on computers that are running an operating system that supports AppLocker.

AppLocker policies in the GPO are applied, and they supersede the policies generated by SRP in the GPO and local AppLocker policies or policies generated by SRP.

Your network contains an Active Directory domain named contoso.com. All client computer accounts are in an organizational unit (OU) named AllComputers. Client computers run either Windows 7 or Windows 8.1.

You create a Group Policy object (GPO) named GP1.

You link GP1 to the AllComputers OU.

You need to ensure that GP1 applies only to computers that have more than 8 GB of memory.

What should you configure?

The Security settings of GP1
The Block Inheritance option for AllComputers
The Security settings of AllComputers
The WMI filter for GP1

Correct answer: D

Explanation:

Windows Management Instrumentation (WMI) filters allow you to dynamically determine the scope of Group Policy objects (GPOs) based on attributes of the target computer. When a GPO that is linked to a WMI filter is applied on the target computer, the filter is evaluated on the target computer. If the WMI filter evaluates to false, the GPO is not applied (except if the client computer is running Windows Server, in which case the filter is ignored and the GPO is always applied). If the WMI filter evaluates to true, the GPO is applied. WMI filters, like GPOs, are stored on a per-domain basis. A WMI filter and the GPO it is linked to must be in the same domain. References:Training Guide: Installing and Configuring Windows Server 2012 R2: Chapter 10: Implementing Group Policy, p.470, 482http://technet.microsoft.com/en-us/library/jj134176WMI filtering using GPMC

Windows Management Instrumentation (WMI) filters allow you to dynamically determine the scope of Group Policy objects (GPOs) based on attributes of the target computer.

When a GPO that is linked to a WMI filter is applied on the target computer, the filter is evaluated on the target computer. If the WMI filter evaluates to false, the GPO is not applied (except if the client computer is running Windows Server, in which case the filter is ignored and the GPO is always applied). If the WMI filter evaluates to true, the GPO is applied. WMI filters, like GPOs, are stored on a per-domain basis. A WMI filter and the GPO it is linked to must be in the same domain.

References:

Training Guide: Installing and Configuring Windows Server 2012 R2: Chapter 10: Implementing Group Policy, p.470, 482

http://technet.microsoft.com/en-us/library/jj134176

WMI filtering using GPMC

Your network contains an Active Directory domain named contoso.com. The domain contains an Application server named Server1. Server1 runs Windows Server 2012 R2.

Server1 is configured as an FTP server.

Client computers use an FTP Application named App1.exe. App1.exe uses TCP port 21 as the control port and dynamically requests a data port.

On Server1, you create a firewall rule to allow connections on TCP port 21.

You need to configure Server1 to support the client connections from App1.exe.

What should you do?

Run netsh adv firewall set global statefulftp enable.
Create an inbound firewall rule to allow App1.exe.
Create a tunnel connection security rule.
Run Set-NetFirewallRule -DisplayName DynamicFTP -Profile Domain

Correct answer: A

Explanation:

The netsh firewall context is supplied only for backward compatibility. We recommend that you do not use this context on a computer that is running Windows Vista or a later version of Windows. In the netsh advfirewall firewall context, the add command only has one variation, the add rule command. Netsh advfirewall set global statefulftp:Configures how Windows Firewall with Advanced Security handles FTP traffic that uses an initial connection on one port to request a data connection on a different port. When statefulftp is enabled, the firewall examines the PORT and PASV requests for these other port numbers and then allows the corresponding data connectionto the port number that was requested. Syntax set global statefulftp { enable | disable |notconfigured } Parameters statefulftp can be set to one of the following values:enable The firewall tracks the port numbers specified in PORT command requests and in the responses to PASV requests, and then allows the incoming FTP data traffic entering on the requested port number. disable This is the default value. The firewall does not track outgoing PORT commands or PASV responses, and so incoming data connectionson the PORT or PASV requested port is blocked as an unsolicited incoming connection. Not configured Valid only when netsh is configuring a GPO by using the set store command.

The netsh firewall context is supplied only for backward compatibility. We recommend that you do not use this context on a computer that is running Windows Vista or a later version of Windows.

In the netsh advfirewall firewall context, the add command only has one variation, the add rule command. Netsh advfirewall set global statefulftp:

Configures how Windows Firewall with Advanced Security handles FTP traffic that uses an initial connection on one port to request a data connection on a different port.

When statefulftp is enabled, the firewall examines the PORT and PASV requests for these other port numbers and then allows the corresponding data connectionto the port number that was requested.

Syntax

set global statefulftp { enable | disable |notconfigured }

Parameters

statefulftp can be set to one of the following values:

enable

The firewall tracks the port numbers specified in PORT command requests and in the responses to PASV requests, and then allows the incoming FTP data traffic entering on the requested port number.

disable

This is the default value. The firewall does not track outgoing PORT commands or PASV responses, and so incoming data connectionson the PORT or PASV requested port is blocked as an unsolicited incoming connection.

Not configured

Valid only when netsh is configuring a GPO by using the set store command.

Your network contains an Active Directory domain named contoso.com.

All client computers run Windows 8.

You deploy a server named Server1 that runs Windows Server 2012 R2.

You install a new client-server application named App1 on Server1 and on the client computers. The client computers must use TCP port 6444 to connect to App1 on Server1.Server1 publishes the information of App1 to an intranet server named Server2 by using TCP port 3080.

You need to ensure that all of the client computers can connect to App1. The solution must ensure that the application can connect to Server2.

Which Windows Firewall rule should you create on Server1?

an inbound rule to allow a connection to TCP port 3080
an outbound rule to allow a connection to TCP port 3080
an outbound rule to allow a connection to TCP port 6444
an inbound rule to allow a connection to TCP port 6444

Correct answer: D

Explanation:

Server1 gets request from Client PC’s it needs an inbound rule for 6444. By default, Windows Firewall with Advanced Security blocks all unsolicited inbound network traffic, and allows all outbound network traffic. For unsolicited inbound network traffic to reach your computer, you must create an allow rule to permit that type of network traffic. If a network program cannot get access, verify that in the Windows Firewall with Advanced Security snap-in there is an active allow rule for the current profile. To verify that there is an active allow rule, double-click Monitoring and then click Firewall. If there is no active allow rule for the program, go to the Inbound Rules node and create a new rule for that program. Create either a program rule, or a service rule, or search for a group that applies to the feature and make sure all the rules in the group are enabled. To permit the traffic, you must create a rule for the program that needs to listen for that traffic. If you know the TCP or UDP port numbers required by the program, you can additionally restrict the rule to only those ports, reducing the vulnerability of opening up all ports for the program.

Server1 gets request from Client PC’s it needs an inbound rule for 6444.

By default, Windows Firewall with Advanced Security blocks all unsolicited inbound network traffic, and allows all outbound network traffic. For unsolicited inbound network traffic to reach your computer, you must create an allow rule to permit that type of network traffic. If a network program cannot get access, verify that in the Windows Firewall with Advanced Security snap-in there is an active allow rule for the current profile. To verify that there is an active allow rule, double-click Monitoring and then click Firewall.

If there is no active allow rule for the program, go to the Inbound Rules node and create a new rule for that program. Create either a program rule, or a service rule, or search for a group that applies to the feature and make sure all the rules in the group are enabled. To permit the traffic, you must create a rule for the program that needs to listen for that traffic. If you know the TCP or UDP port numbers required by the program, you can additionally restrict the rule to only those ports, reducing the vulnerability of opening up all ports for the program.

Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2 that run Windows Server 2012 R2.

You create a security template named Template1 by using the security template snap-in.

You need to apply Template1 to Server2.

Which tool should you use?

Security Templates
Computer Management
Security Configuration and Analysis
System Configuration

Correct answer: C

Explanation:

A security policy is a combination of security settings that affect the security on a computer. You can use your local security policy to edit account policies and local policies on your local computer. Security templates are inactive until imported into a Group Policy object or the Security Configuration and Analysis Incorrect Answers:A: The Security Template was already created – Provide standard security option to use in security policiesB: Template1 needs to be applied at the GP levelD: The System Configuration tool is used to identify windows problemsReferences: https://www.petri.com/using-windows-server-2012-security-configuration-and-analysis-tool

A security policy is a combination of security settings that affect the security on a computer. You can use your local security policy to edit account policies and local policies on your local computer.

Security templates are inactive until imported into a Group Policy object or the Security Configuration and Analysis

Incorrect Answers:

A: The Security Template was already created – Provide standard security option to use in security policies

B: Template1 needs to be applied at the GP level

D: The System Configuration tool is used to identify windows problems

References: https://www.petri.com/using-windows-server-2012-security-configuration-and-analysis-tool

Your network contains multiple subnets.

On one of the subnets, you deploy a server named Server1 that runs Windows Server 2012 R2.

You install the DNS Server server role on Server1, and then you create a standard primary zone named contoso.com.

You need to ensure that client computers can resolve single-label names to IP addresses.

What should you do first?

Create a reverse lookup zone.
Convert the contoso.com zone to an Active Directory-integrated zone.
Configure dynamic updates for contoso.com.
Create a GlobalNames zone.

Correct answer: B

Explanation:

Although a GlobalNames zone is required in order to resolve single-label names, GNZs must be AD-integrated. Since this is a standard primary zone (as opposed to an ADDS primary zone), we must first integrate the zone into Active Directory. References:Exam Ref: 70-410: Installing and Configuring Windows Server 2012 R2, Chapter4: Deploying and configuring core network services, Objective 4.3: Deploy and Configure the DNS service, p.233http://technet.microsoft.com/en-us/library/cc731744.aspx

Although a GlobalNames zone is required in order to resolve single-label names, GNZs must be AD-integrated.

Since this is a standard primary zone (as opposed to an ADDS primary zone), we must first integrate the zone into Active Directory.

References:

Exam Ref: 70-410: Installing and Configuring Windows Server 2012 R2, Chapter4: Deploying and configuring core network services, Objective 4.3: Deploy and Configure the DNS service, p.233

http://technet.microsoft.com/en-us/library/cc731744.aspx

Your network contains an Active Directory domain named contoso.com. The DNS zone for contoso.com is Active-Directory integrated.

The domain contains 500 client computers. There are an additional 20 computers in a workgroup.

You discover that every client computer on the network can add its record to the contoso.com zone.

You need to ensure that only the client computers in the Active Directory domain can register records in the contoso.com zone.

What should you do?

Sign the contoso.com zone by using DNSSEC.
Configure the Dynamic updates settings of the contoso.com zone.
Configure the Security settings of the contoso.com zone.
Move the contoso.com zone to a domain controller that is configured as a DNS server.

Correct answer: B

Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named Server1 that has the DNS Server server role installed. Server1 hosts a primary zone for contoso.com.

The domain contains a member server named Server2 that is configured to use Server1 as its primary DNS server.

From Server2, you run nslookup.exe as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that when you run Nslookup, the correct name of the default server is displayed.

What should you do?

On Server1, create a reverse lookup zone.
On Server1, modify the Security settings of the contoso.com zone.
From Advanced TCP/IP Settings on Server1, add contoso.com to the DNS suffix list.
From Advanced TCP/IP Settings on Server2, add contoso.com to the DNS suffix list.

Correct answer: A

Explanation:

Make sure that a reverse lookup zone that is authoritative for the PTR resource record exists. PTR records contain the information that is required for the server to perform reverse name lookups. References:http://technet.microsoft.com/en-us/library/cc961417.aspxExam Ref: 70-410: Installing and Configuring Windows Server 2012 R2, Chapter4: Deploying and configuring core network services, Objective 4.1: Configure IPv4 and IPv6 addressing, p.246

Make sure that a reverse lookup zone that is authoritative for the PTR resource record exists.

PTR records contain the information that is required for the server to perform reverse name lookups.

References:

http://technet.microsoft.com/en-us/library/cc961417.aspx

Exam Ref: 70-410: Installing and Configuring Windows Server 2012 R2, Chapter4: Deploying and configuring core network services, Objective 4.1: Configure IPv4 and IPv6 addressing, p.246

Your network contains an Active Directory domain named contoso.com. The domain contains a DHCP server named Server1 that runs Windows Server 2012 R2.

You create a DHCP scope named Scope1. The scope has a start address of 192.168.1.10, an end address of 192.168.1.50, and a subnet mask of 255.255.255.192.

You need to ensure that Scope1 has a subnet mask of 255.255.255.0.

What should you do first?

From the DHCP console, reconcile Scope1.
From the DHCP console, delete Scope1.
From the DHCP console, modify the Scope Options of Scope1.
From Windows PowerShell, run the Set-DhcpServerv4Scope cmdlet.

Correct answer: B

Explanation:

You cannot change the subnet mask of a DHCP scope without deleting the scope and recreating it with the new subnet mask. Incorrect Answers:Set-DhcpServerv4Scope does not include a parameter for the subnet mask.

You cannot change the subnet mask of a DHCP scope without deleting the scope and recreating it with the new subnet mask.

Incorrect Answers:

Set-DhcpServerv4Scope does not include a parameter for the subnet mask.

Your company has a main office and two branch offices. The offices connect to each other by using a WAN link.

In the main office, you have a server named Server1 that runs Windows Server 2012 R2.

Server1 is configured to use an IPv4 address only.

You need to assign an IPv6 address to Server1. The IP address must be private and routable.

Which IPv6 address should you assign to Server1?

fe80:ab32:145c::32cc:401b
ff00:3fff:65df:145c:dca8::82a4
2001:ab32:145c::32cc:401b
fd00:ab32:14:ad88:ac:58:abc2:4

Correct answer: D

Explanation:

Unique local addresses are IPv6 addresses that are private to an organization in the same way that private addresses–such as 10.x.x.x, 192.168.x.x, or 172.16.0.0 172.31.255.255–can be used on an IPv4 network. Unique local addresses, therefore, are not routable on the IPv6 Internet in the same way that an address like 10.20.100.55 is not routable on the IPv4 Internet. A unique local address is always structured as follows:The first 8 bits are always 11111101 in binary format. This means that a unique local address always begins with FD and has a prefix identifier of FD00::/8.

Unique local addresses are IPv6 addresses that are private to an organization in the same way that private addresses–such as 10.x.x.x, 192.168.x.x, or 172.16.0.0 172.31.255.255–can be used on an IPv4 network.

Unique local addresses, therefore, are not routable on the IPv6 Internet in the same way that an address like 10.20.100.55 is not routable on the IPv4 Internet. A unique local address is always structured as follows:

The first 8 bits are always 11111101 in binary format. This means that a unique local address always begins with FD and has a prefix identifier of FD00::/8.