Act now and download your Microsoft 70 411 exam test today! Do not waste time for the worthless Microsoft exam 70 411 tutorials. Download Regenerate Microsoft Administering Windows Server 2012 exam with real questions and answers and begin to learn Microsoft exam ref 70 411 administering windows server 2012 r2 pdf with a classic professional.


♥♥ 2021 NEW RECOMMEND ♥♥

Free VCE & PDF File for Microsoft 70-411 Real Exam (Full Version!)

★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions

Free Instant Download NEW 70-411 Exam Dumps (PDF & VCE):
Available on: http://www.surepassexam.com/70-411-exam-dumps.html

Q31. Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2. 

The domain contains a server named Server1 that has the Network Policy Server server role and the Remote Access server role installed. The domain contains a server named Server2 that is configured as a RADIUS server. 

Server1 provides VPN access to external users. 

You need to ensure that all of the VPN connections to Server1 are logged to the RADIUS server on Server2. 

What should you run? 

A. Add-RemoteAccessRadius -ServerNameServer1 -AccountingOnOffMsg Enabled -SharedSecret "Secret" -Purpose Accounting 

B. Set-RemoteAccessAccounting -AccountingOnOffMsg Enabled -AccountingOnOffMsg Enabled 

C. Add-RemoteAccessRadius -ServerName Server2 -AccountingOnOffMsg Enabled -SharedSecret "Secret" -Purpose Accounting 

D. Set-RemoteAccessAccounting -EnableAccountingType Inbox -AccountingOnOffMsg Enabled 

Answer:

Explanation: 

Add-RemoteAccessRadius 

Adds a new external RADIUS server for VPN authentication, accounting for DirectAccess 

(DA) and VPN, or one-time password (OTP) authentication for DA. 

AccountingOnOffMsg<String> 

Indicates the enabled state for sending of accounting on or off messages. The acceptable 

values for this parameter are: 

. Enabled. 

. Disabled. 

This is the default value. This parameter is applicable only when the RADIUS server is being added for Remote Access accounting. 


Q32. You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the File Server Resource Manager role service installed. 

Each time a user receives an access-denied message after attempting to access a folder on Server1, an email notification is sent to a distribution list named DL1. 

You create a folder named Folder1 on Server1, and then you configure custom NTFS permissions for Folder1. 

You need to ensure that when a user receives an access-denied message while attempting to access Folder1, an email notification is sent to a distribution list named DL2. The solution must not prevent DL1 from receiving notifications about other access-denied messages. 

What should you do? 

A. From Server Manager, run the New Share Wizard to create a share for Folder1 by selecting the SMB Share - Advanced option. 

B. From the File Server Resource Manager console, modify the Access-Denied Assistance settings. 

C. From the File Server Resource Manager console, modify the Email Notifications settings. 

D. From Server Manager, run the New Share Wizard to create a share for Folder1 by selecting the SMB Share -Applications option. 

Answer:

Reference: http://technet.microsoft.com/en-us/library/jj574182.aspx#BKMK_12 

Explanation: 

When using the email model each of the file shares, you can determine whether access requests to each file share will be received by the administrator, a distribution list that represents the file share owners, or both. 

The owner distribution list is configured by using the SMB Share – Advanced file share profile in the New Share Wizard in Server Manager. 


Q33. Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. 

Administrators use client computers that run Windows 8 to perform all management tasks. 

A central store is configured on a domain controller named DC1. 

You have a custom administrative template file named App1.admx. App1.admx contains application settings for an application named Appl. 

From a client computer named Computer1, you create a new Group Policy object (GPO) named GPO1. 

You discover that the application settings for App1 fail to appear in GPO1. 

You need to ensure that the App1 settings appear in all of the new GPOs that you create. 

What should you do? 

A. From the Default Domain Controllers Policy, add App1.admx to the Administrative Templates. 

B. Copy App1.admx to \Contoso.comSYSVOLContoso.comPoliciesPolicyDefinitions. 

C. From the Default Domain Policy, add App1.admx to the Administrative Templates. 

D. Copy App1.admx to \Contoso.comSYSVOLContoso.comStarterGPOs. 

Answer:

Explanation: 

To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder on a domain controller. The Central Store is a file location that is checked by the Group Policy tools. The Group Policy tools use any .admx files that are in the Central Store. The files that are in the Central Store are later replicated to all domain controllers in the domain. 


Q34. Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. The domain contains 500 client computers that run Windows 8 Enterprise. 

You implement a Group Policy central store. 

You have an application named App1. App1 requires that a custom registry setting be deployed to all of the computers. 

You need to deploy the custom registry setting. The solution must minimize administrator effort. 

What should you configure in a Group Policy object (GPO)? 

A. The Software Installation settings 

B. The Administrative Templates 

C. An application control policy 

D. The Group Policy preferences 

Answer:

Explanation: 

. Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit. 

. In the console tree under Computer Configuration or User Configuration, expand the Preferences folder, and then expand the Windows Settings folder. 

. Right-click the Registry node, point to New, and select Registry Item. 

Group Policy preferences provide the means to simplify deployment and standardize configurations. They add to Group Policy a centralized system for deploying preferences (that is, settings that users can change later). 

You can also use Group Policy preferences to configure applications that are not Group Policy-aware. By using Group Policy preferences, you can change or delete almost any registry setting, file or folder, shortcut, and more. You are not limited by the contents of Administrative Template files. The Group Policy Management Editor (GPME) includes Group Policy preferences. 

References: http: //technet.microsoft.com/en-us/library/gg699429.aspx http: //www. unidesk. com/blog/gpos-set-custom-registry-entries-virtual-desktops-disabling-machine-password 


Q35. You have the following Windows PowerShell Output. 

You need to create a Managed Service Account. 

What should you do? 

A. Run New-ADServiceAccount –Name “service01” –DNSHostName service01.contoso.com –SAMAccountName service01. 

B. Run New-AuthenticationPolicySilo, and then run New-ADServiceAccount –Name “service01” –DNSHostName service01.contoso.com. 

C. Run Add-KDSRootKey, and then run New-ADServiceAccount –Name “service01” –DNSHostName service01.contoso.com. 

D. Run Set-KDSConfiguration, and then run New-ADServiceAccount –Name “service01” –DNSHostName service01.contoso.com. 

Answer:

Explanation: From the exhibit we see that the required key does not exist. First we create this key, then we create the managed service account. 

The Add-KdsRootKey cmdlet generates a new root key for the Microsoft Group Key Distribution Service (KdsSvc) within Active Directory (AD). The Microsoft Group KdsSvc generates new group keys from the new root key. 

The New-ADServiceAccount cmdlet creates a new Active Directory managed service account. 

Reference: New-ADServiceAccount 

https://technet.microsoft.com/en-us/library/hh852236(v=wps.630).aspx 

Reference: Add-KdsRootKey 

ttps://technet.microsoft.com/en-us/library/jj852117(v=wps.630).aspx 


Q36. Your network contains an Active Directory domain named contoso.com. The domain contains a member server named Server1. Server1 runs Windows Server 2012 R2 and has the Hyper-V server role installed. 

Server1 hosts 10 virtual machines. A virtual machine named VM1 runs Windows Server 2012 R2 and hosts a processor-intensive application named App1. 

Users report that App1 responds more slowly than expected. 

You need to monitor the processor usage on VM1 to identify whether changes must be made to the hardware settings of VM1. 

Which performance object should you monitor on Server1? 

A. Processor 

B. Hyper-V Hypervisor Virtual Processor 

C. Hyper-V Hypervisor Logical Processor 

D. Hyper-V Hypervisor Root Virtual Processor 

E. Process 

Answer:

Explanation: 

In the simplest way of thinking the virtual processor time is cycled across the available logical processors in a round-robin type of fashion. Thus all the processing power gets used over time, and technically nothing ever sits idle. To accurately measure the processor utilization of a guest operating system, use the “Hyper-V Hypervisor Logical Processor (Total)% Total Run Time” performance monitor counter on the Hyper-V host operating system. 


Q37. Your company has a main office and a branch office. 

The network contains an Active Directory domain named contoso.com. 

The main office contains a domain controller named DC1 that runs Windows Server 2012 R2. DC1 is a DNS server and hosts a primary zone for contoso.com. The branch office contains a member server named Server1 that runs Windows Server 2012 R2. Server1 is a DNS server and hosts a secondary zone for contoso.com. 

The main office connects to the branch office by using an unreliable WAN link. 

You need to ensure that Server1 can resolve names in contoso.com if the WAN link in unavailable for three days. 

Which setting should you modify in the start of authority (SOA) record? 

A. Retry interval 

B. Refresh interval 

C. Expires after 

D. Minimum (default) TTL 

Answer:

Explanation: 

Used by other DNS servers that are configured to load and host the zone to determine when zone data expires if it is not renewed 


Q38. Your network contains 25 Web servers that run Windows Server 2012 R2. 

You need to configure auditing policies that meet the following requirements: 

. Generate an event each time a new process is created. 

. Generate an event each time a user attempts to access a file share. 

Which two auditing policies should you configure? To answer, select the appropriate two auditing policies in the answer area. 

A. Audit access management (Not Defined) 

B. Audit directory service access (Not Defined) 

C. Audit logon events (Not Defined) 

D. Audit Object (Not Defined) 

E. Audit policy change(Not Defined) 

F. Audit privilege use (Not Defined) 

G. Audit process tracking (Not Defined) 

H. Audit system events(Not Defined) 

Answer: D,G 

Explanation: * Audit Object Access 

Determines whether to audit the event of a user accessing an object (for example, file, folder, registry key, printer, and so forth) which has its own system access control list (SACL) specified. 

* Audit Process Tracking 

Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. 

Reference: Audit object access 

https://technet.microsoft.com/en-us/library/cc976403.aspx 

Reference: Audit Process Tracking 

https://technet.microsoft.com/en-us/library/cc976411.aspx 


Q39. Your network contains an Active Directory domain named contoso.com. Network Access Protection (NAP) is deployed to the domain. 

You need to create NAP event trace log files on a client computer. 

What should you run? 

A. logman 

B. Register-ObjectEvent 

C. tracert 

D. Register-EngineEvent 

Answer:

Explanation: 

You can enable NAP client tracing by using the command line. On computers running Windows Vista., you can enable tracing by using the NAP Client Configuration console. NAP client tracing files are written in Event Trace Log (ETL) format. These are binary files representing trace data that must be decoded by Microsoft support personnel. Use the –o option to specify the directory to which they are written. In the following example, files are written to %systemroot%tracingnap. For more information, see Logman (http: //go. microsoft.com/fwlink/?LinkId=143549). 

To create NAP event trace log files on a client computer 

Open a command line as an administrator. 

Type 

logman start QAgentRt -p {b0278a28-76f1-4e15-b1df-14b209a12613} 0xFFFFFFFF 9 -o 

%systemroot%tracingnapQAgentRt. etl –ets. 

Note: To troubleshoot problems with WSHA, use the following GUID: 789e8f15-0cbf-4402-b0ed-0e22f90fdc8d. 

Reproduce the scenario that you are troubleshooting. 

Type logman stop QAgentRt -ets. 

Close the command prompt window. 

References: 

http: //technet. microsoft. com/en-us/library/dd348461%28v=ws. 10%29. aspx 


Q40. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that has the Remote Access server role installed. 

DirectAccess is implemented on Server1 by using the default configuration. 

You discover that DirectAccess clients do not use DirectAccess when accessing websites on the Internet. 

You need to ensure that DirectAccess clients access all Internet websites by using their DirectAccess connection. 

What should you do? 

A. Configure a DNS suffix search list on the DirectAccess clients. 

B. Configure DirectAccess to enable force tunneling. 

C. Disable the DirectAccess Passive Mode policy setting in the DirectAccess Client Settings Group Policy object (GPO). 

D. Enable the Route all traffic through the internal network policy setting in the DirectAccess Server Settings Group Policy object (GPO). 

Answer:

Explanation: 

With IPv6 and the Name Resolution Policy Table (NRPT), by default, DirectAccess clients separate their intranet and Internet traffic as follows: 

. DNS name queries for intranet fully qualified domain names (FQDNs) and all intranet traffic is exchanged over the tunnels that are created with the DirectAccess server or directly with intranet servers. Intranet traffic from DirectAccess clients is IPv6 traffic. 

. DNS name queries for FQDNs that correspond to exemption rules or do not match the intranet namespace, and all traffic to Internet servers, is exchanged over the physical interface that is connected to the Internet. Internet traffic from DirectAccess clients is typically IPv4 traffic. 

In contrast, by default, some remote access virtual private network (VPN) implementations, including the VPN client, send all intranet and Internet traffic over the remote access VPN connection. Internet-bound traffic is routed by the VPN server to intranet IPv4 web proxy servers for access to IPv4 Internet resources. It is possible to separate the intranet and Internet traffic for remote access VPN clients by using split tunneling. This involves configuring the Internet Protocol (IP) routing table on VPN clients so that traffic to intranet locations is sent over the VPN connection, and traffic to all other locations is sent by using the physical interface that is connected to the Internet. 

You can configure DirectAccess clients to send all of their traffic through the tunnels to the DirectAccess server with force tunneling. When force tunneling is configured, DirectAccess clients detect that they are on the Internet, and they remove their IPv4 default route. With the exception of local subnet traffic, all traffic sent by the DirectAccess client is IPv6 traffic that goes through tunnels to the DirectAccess server.