Q131. Your network contains a Hyper-V host named Hyperv1. Hyperv1 runs Windows Server 2012 R2. 

Hyperv1 hosts four virtual machines named VM1, VM2, VM3, and VM4. AH of the virtual machines run Windows Server 2008 R2. 

You need to view the amount of memory resources and processor resources that VM4 currently uses. 

Which tool should you use on Hyperv1? 

A. Windows System Resource Manager (WSRM) 

B. Task Manager 

C. Hyper-V Manager 

D. Resource Monitor 

Answer:

Explanation: 

Hyper-V Performance Monitoring Tool Know which resource is consuming more CPU. Find out if CPUs are running at full capacity or if they are being underutilized. Metrics tracked include Total CPU utilization, Guest CPU utilization, Hypervisor CPU utilization, idle CPU utilization, etc. 

WSRM is deprecated starting with Windows Server 2012 


Q132. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Remote Desktop Session Host role service installed. The computer account of Server1 resides in an organizational unit (OU) named OU1. 

You create and link a Group Policy object (GPO) named GPO1 to OU1. 

You need to prevent GPO1 from applying to your user account when you log on to Server1. GPO1 must apply to every other user who logs on to Server1. 

What should you configure? 

A. Security Filtering. 

B. WMI Filtering. 

C. Block Inheritance. 

D. Item-level targeting. 

Answer:

Explanation: 

You can use item-level targeting to change the scope of individual preference items, so they apply only to selected users or computers. Within a single Group Policy object (GPO), you can include multiple preference items, each customized for selected users or computers and each targeted to apply settings only to the relevant users or computers. 

Reference: https://technet.microsoft.com/en-us/library/cc733022.aspx 


Q133. Your network contains an Active Directory domain named contoso.com. The domain contains client computers that run either Windows XP or Windows 8. 

Network Policy Server (NPS) is deployed to the domain. 

You plan to create a system health validator (SHV). 

You need to identify which policy settings can be applied to all of the computers. 

Which three policy settings should you identify? (Each correct answer presents part of the solution. Choose three.) 

A. Antispyware is up to date. 

B. Automatic updating is enabled. 

C. Antivirus is up to date. 

D. A firewall is enabled for all network connections. 

E. An antispyware application is on. 

Answer: B,C,D 

Explanation: 

The WSHA on NAP client computers running Windows XP SP3 does not monitor the status of antispyware applications. 


Q134. Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1 that runs Windows Server 2012 R2. 

You view the effective policy settings of Server1 as shown in the exhibit. (Click the Exhibit button.) 

You need to ensure that an entry is added to the event log whenever a local user account is created or deleted on Server1. 

What should you do? 

A. In Servers GPO, modify the Advanced Audit Configuration settings. 

B. On Server1, attach a task to the security log. 

C. In Servers GPO, modify the Audit Policy settings. 

D. On Server1, attach a task to the system log. 

Answer:

Explanation: 

When you use Advanced Audit Policy Configuration settings, you need to confirm that these settings are not overwritten by basic audit policy settings. The following procedure shows how to prevent conflicts by blocking the application of any basic audit policy settings. 

Enabling Advanced Audit Policy Configuration 

Basic and advanced audit policy configurations should not be mixed. As such, it’s best practice to enable Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings in Group Policy to make sure that basic auditing is disabled. The setting can be found under Computer Configuration\Policies\Security Settings\Local Policies\Security Options, and sets the SCENoApplyLegacyAuditPolicy registry key to prevent basic auditing being applied using Group Policy and the Local Security Policy MMC snap-in. 

In Windows 7 and Windows Server 2008 R2, the number of audit settings for which success and failure can be tracked has increased to 53. Previously, there were nine basic auditing settings under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy. These 53 new settings allow you to select only the behaviors that you want to monitor and exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive number of log entries. In addition, because Windows 7 and Windows Server 2008 R2 security audit policy can be applied by using domain Group Policy, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity. 

Audit Policy settings 

Any changes to user account and resource permissions. 

Any failed attempts for user logon. 

Any failed attempts for resource access. 

Any modification to the system files. 

Advanced Audit Configuration Settings 

Audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as: 

. A group administrator has modified settings or data on servers that contain finance information. 

. An employee within a defined group has accessed an important file. 

. The correct system access control list (SACL) is applied to every file and folder or registry key on a computer or file share as a verifiable safeguard against undetected access. 

In Servers GPO, modify the Audit Policy settings - enabling audit account management setting will generate events about account creation, deletion and so on. 

Advanced Audit Configuration Settings 

Advanced Audit Configuration Settings ->Audit Policy 

-> Account Management -> Audit User Account Management 

In Servers GPO, modify the Audit Policy settings - enabling audit account management setting will generate events about account creation, deletion and so on. 

Reference: 

http: //blogs. technet. com/b/abizerh/archive/2010/05/27/tracing-down-user-and-computer-account-deletion-in-active-directory. aspx 

http: //technet. microsoft. com/en-us/library/dd772623%28v=ws. 10%29. aspx 

http: //technet. microsoft. com/en-us/library/jj852202(v=ws. 10). aspx 

http: //www. petri. co. il/enable-advanced-audit-policy-configuration-windows-server. htm 

http: //technet. microsoft. com/en-us/library/dd408940%28v=ws. 10%29. aspx 

http: //technet. microsoft. com/en-us/library/dd408940%28v=ws. 10%29. 

aspx#BKMK_step2 


Q135. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the Network Policy Server role service installed. 

You need to enable trace logging for Network Policy Server (NPS) on Server1. 

Which tool should you use? 

A. The tracert.exe command 

B. The Network Policy Server console 

C. The Server Manager console 

D. The netsh.exe command 

Answer:

Explanation: 

NPS trace logging files 

You can use log files on servers running Network Policy Server (NPS) and NAP client computers to help troubleshoot NAP problems. Log files can provide the detailed information required for troubleshooting complex problems. 

You can capture detailed information in log files on servers running NPS by enabling remote access tracing. The Remote Access service does not need to be installed or running to use remote access tracing. When you enable tracing on a server running NPS, several log files are created in %windir%\tracing. 

The following log files contain helpful information about NAP: 

IASNAP. LOG: Contains detailed information about NAP processes, NPS authentication, and NPS authorization. 

IASSAM. LOG: Contains detailed information about user authentication and authorization. 

Membership in the local Administrators group, or equivalent, is the minimum required to enable tracing. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http: //go. microsoft. com/fwlink/?LinkId=83477). 

To create tracing log files on a server running NPS 

Open a command line as an administrator. 

Type netshras set tr * en. 

Reproduce the scenario that you are troubleshooting. 

Type netshras set tr * dis. 

Close the command prompt window. 

Reference: http: //technet. microsoft. com/en-us/library/dd348461%28v=ws. 10%29. aspx 


Q136. HOTSPOT 

Your network contains an Active Directory domain named contoso.com. The domain contains 30 user accounts that are used for network administration. The user accounts are members of a domain global group named Group1. 

You identify the security requirements for the 30 user accounts as shown in the following table. 

You need to identify which settings must be implemented by using a Password Settings object (PSO) and which settings must be implemented by modifying the properties of the user accounts. 

What should you identify? To answer, configure the appropriate settings in the dialog box in the answer area. 

Answer: 


Q137. Your network contains an Active Directory domain named contoso.com. 

You need to install and configure the Web Application Proxy role service. 

What should you do? 

A. Install the Active Directory Federation Services server role and the Remote Access server role on different servers. 

B. Install the Active Directory Federation Services server role and the Remote Access server role on the same server. 

C. Install the Web Server (IIS) server role and the Application Server server role on the same server. 

D. Install the Web Server (IIS) server role and the Application Server server role on different servers. 

Answer:

Explanation: 

Web Application Proxy is a new Remote Access role service in Windows Server. 2012 R2. 


Q138. Your network contains an Active Directory domain named contoso.com. The domain contains five servers. The servers are configured as shown in the following table. 

All desktop computers in contoso.com run Windows 8 and are configured to use BitLocker Drive Encryption (BitLocker) on all local disk drives. 

You need to deploy the Network Unlock feature. The solution must minimize the number of features and server roles installed on the network. 

To which server should you deploy the feature? 

A. Server1 

B. Server2 

C. Server3 

D. Server4 

E. Server5 

Answer:

Explanation: 

The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the Windows Deployment Services role in Server Manager. 


Q139. Your network contains an Active Directory domain named contoso.com. Network Access Protection (NAP) is deployed to the domain. 

You need to create NAP event trace log files on a client computer. 

What should you run? 

A. logman 

B. Register-ObjectEvent 

C. tracert 

D. Register-EngineEvent 

Answer:

Explanation: 

You can enable NAP client tracing by using the command line. On computers running Windows Vista., you can enable tracing by using the NAP Client Configuration console. NAP client tracing files are written in Event Trace Log (ETL) format. These are binary files representing trace data that must be decoded by Microsoft support personnel. Use the –o option to specify the directory to which they are written. In the following example, files are written to %systemroot%\tracing\nap. For more information, see Logman (http: //go. microsoft.com/fwlink/?LinkId=143549). 

To create NAP event trace log files on a client computer 

Open a command line as an administrator. 

Type 

logman start QAgentRt -p {b0278a28-76f1-4e15-b1df-14b209a12613} 0xFFFFFFFF 9 -o 

%systemroot%\tracing\nap\QAgentRt. etl –ets. 

Note: To troubleshoot problems with WSHA, use the following GUID: 789e8f15-0cbf-4402-b0ed-0e22f90fdc8d. 

Reproduce the scenario that you are troubleshooting. 

Type logman stop QAgentRt -ets. 

Close the command prompt window. 

References: 

http: //technet. microsoft. com/en-us/library/dd348461%28v=ws. 10%29. aspx 


Q140. Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1 that runs Windows Server 2012 R2. DC1 is backed up daily. 

The domain has the Active Directory Recycle Bin enabled. 

During routine maintenance, you delete 500 inactive user accounts and 100 inactive groups. One of the deleted groups is named Group1. Some of the deleted user accounts are members of some of the deleted groups. 

For documentation purposes, you must provide a list of the members of Group1 before the group was deleted. 

You need to identify the names of the users who were members of Group1 prior to its deletion. 

You want to achieve this goal by using the minimum amount of administrative effort. 

What should you do first? 

A. Mount the most recent Active Directory backup. 

B. Reactivate the tombstone of Group1. 

C. Perform an authoritative restore of Group1. 

D. Use the Recycle Bin to restore Group1. 

Answer:

Explanation: 

The Active Directory Recycle Bin does not have the ability to track simple changes to objects. 

If the object itself is not deleted, no element is moved to the Recycle Bin for possible recovery in the future. In other words, there is no rollback capacity for changes to object properties, or, in other words, to the values of these properties.