MCSA Windows Server 2012 R2 Administration Study Guide Exam 70-411 (2015)
Answers to Review Questions
Chapter 1: Manage and Maintain Servers
1. D. All of the applications that are running on the Windows Server 2012 R2 machine will show up on the Details tab. Right-click the application and end the process.
2. A. If you use MBSA from the command-line utility mdsacli.exe, you can specify several options. You type mdsacli.exe/hf (from the folder that contains mdsacli.exe) and then customize the command execution with an option such as /ixxxx.xxxx.xxxx.xxxx, which specifies that the computer with the specified IP address should be scanned.
3. B and E. You can set the registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServer to 0 to use the public Windows Update server, or you can set it to 1, which means that you will specify the server for Windows Update in theHKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate key. The WUServer key sets the Windows Update server using the server’s HTTP name, for example, http://intranetSUS.
4. C. Server Manager is the one place where you install all roles and features for a Windows Server 2012 R2 system.
5. C. All options are valid steps to complete the configuration except option C because SERVERB cannot automatically draw updates from whichever sources are on SERVERA.
6. B, D, and F. Option A schedules the updates to occur at a time when the computers are generally not connected to the corporate network. Options C and E require more user interaction than would be considered minimal. By setting updates to occur with no user interaction at noon, you satisfy the requirements.
7. D. You can recover system state data from a backup, which always includes the Active Directory database. In this case, Event Viewer and System Monitor wouldn’t help you recover the database, but they might help you determine why the hard drive crashed in the first place.
8. D. By using the Network Monitor, you can view all of the network packets that are being sent to or from the local server. Based on this information, you can determine the source of certain types of traffic, such as pings. The other types of monitoring can provide useful information, but they do not allow you to drill down into the specific details of a network packet, and they don’t allow you to filter the data that has been collected based on details about the packet.
9. A. Microsoft Baseline Security Analyzer is a free download that you can get from Microsoft’s website.
10.C. The Update Source And Proxy Server option allows you to specify where you will be receiving your updates (from Microsoft or another WSUS server) and your proxy settings if a proxy server is needed.
Chapter 2: Manage File Services
1. C. You need to publish shares in the directory before they are available to the users of the directory. If NetBIOS is still enabled on the network, the shares will be visible to the NetBIOS tools and clients, but you do not have to enable NetBIOS on shares. Although replication must occur before the shares are available in the directory, it is unlikely that the replication will not have occurred by the next day. If this is the case, then you have other problems with the directory as well.
2. A. The Sharing tab contains a check box that you can use to list the printer in Active Directory.
3. B, E, G and H. The Active Directory Users and Computers tool allows system administrators to change auditing options and to choose which actions are audited. At the file system level, Isabel can specify exactly which actions are recorded in the audit log. She can then use Event Viewer to view the recorded information and provide it to the appropriate managers.
4. B. Offline files give you the opportunity to set up files and folders so that users can work on the data while outside the company walls. Offline files allows a user to work on files while at home without the need to be logged into the network.
5. A, B, C and D. Improved security, quotas, compression, and encryption are all advantages of using NTFS over FAT32. These features are not available in FAT32. The only security you have in FAT32 is shared folder permissions.
6. A. Encrypting File System (EFS) allows a user or administrator to secure files or folders by using encryption. Encryption employs the user’s security identification (SID) number to secure the file or folder. Encryption is the strongest protection that Windows provides.
7. B. Disk quotas allow you to limit the amount of space on a volume or partition. You can set an umbrella quota for all users and then implement individual users’ quotas to bypass the umbrella quota.
8. B. Cipher is a command-line utility that allows you to configure or change EFS files and folders.
9. B. The Distributed File System (DFS) Namespace service in Windows Server 2012 R2 offers a simplified way for users to access geographically dispersed files. DFS allows you to set up a tree structure of virtual directories to allow users to connect to shared folders throughout the entire network.
10.D. File servers are used for storage of data, especially for users’ home folders. Home folders are folder locations for your users to store data that is important and that needs to be backed up.
Chapter 3: Configure DNS
1. B. Because of the .(root) zone, users will not be able to access the Internet. The DNS forwarding option and DNS root hints will not be configurable. If you want your users to access the Internet, you must remove the .(root) zone.
2. C. Active Directory Integrated zones store their records in Active Directory. Because this company has only one Active Directory forest, it’s the same Active Directory that both DNS servers are using. This allows ServerA to see all of the records of ServerB and allows ServerB to see all the records of ServerA.
3. D. The Secure Only option is for DNS servers that have an Active Directory Integrated zone. When a computer tries to register with DNS dynamically, the DNS server checks Active Directory to verify that the computer has an Active Directory account. If the computer that is trying to register has an account, DNS adds the host record. If the computer trying to register does not have an account, the record gets tossed away and the database is not updated.
4. A. If you need to complete a zone transfer from Microsoft DNS to a BIND (Unix) DNS server, you need to enable BIND Secondaries on the Microsoft DNS server.
5. B. Conditional forwarding allows you to send a DNS query to different DNS servers based on the request. Conditional forwarding lets a DNS server on a network forward DNS queries according to the DNS domain name in the query.
6. B. On a Windows Server 2012 R2 DNS machine, debug logging is disabled by default. When it is enabled, you have the ability to log DNS server activity, including inbound and outbound queries, packet type, packet content, and transport protocols.
7. D. Active Directory Integrated zones give you many benefits over using primary and secondary zones including less network traffic, secure dynamic updates, encryption, and reliability in the event of a DNS server going down. The Secure Only option is for dynamic updates to a DNS database.
8. A. Windows Server 2012 R2 DNS supports two features called DNS Aging and DNS Scavenging. These features are used to clean up and remove stale resource records. DNS zone or DNS server aging and scavenging flags old resource records that have not been updated in a certain amount of time (determined by the scavenging interval). These stale records will be scavenged at the next cleanup interval.
9. C. The dnscmd /zoneexport command creates a file using the zone resource records. This file can then be given to the Compliance department as a copy.
10.D. Stub zones are useful for slow WAN connections. These zones store only three types of resource records: NS records, glue host (A) records, and SOA records. These three records are used to locate authoritative DNS servers.
Chapter 4: Configure Routing and Remote Access
1. B. The boot threshold for an interface controls how long the relay agent will wait before forwarding DHCP requests it hears on that interface.
2. B. Multilink PPP has nothing to do with encryption of data. Multilink is easy to set up, relatively low in cost, and it makes the connection faster.
3. C and E. MS-CHAPv2 provides encrypted and mutual authentication between the respective RRAS locations. MPPE works with MS-CHAPv2 and provides encryption for all of the data between the locations. CHAP provides encrypted authentication, but MS-CHAPv2 is needed for MPPE to work. PAP is the lowest level of authentication providing passwords, but it sends passwords in cleartext, which is not the most secure solution. L2TP needs to team up with IPsec to provide the data encryption for the secure transfer of information between the locations.
4. B. MS-CHAPv2 authentication allows you to create VPN connections with a stand-alone server using PPTP and MPPE. MPPE employs keys that are created via MS-CHAPv2 or EAP-TLS authentication. EAP-TLS is not the correct answer because only domain controllers or member servers support EAP-TLS. Stand-alone servers support only MPPE. Neither PAP nor CHAP is supported with MPPE.
5. A and C. L2TP connections can be used to authenticate both sides of the VPN. L2TP needs IPsec to provide the encryption for the connection. These two together will provide the secure and authenticated transmission of data across the Internet between the two sites. PPTP connections provide encryption using only MPPE, but they don’t provide authentication between the machines. RADIUS is a service that provides dial-in connectivity. MS-CHAPv2 is an authentication protocol for clients accessing the network.
6. B. L2TP and IPsec each has its own negotiation procedure for making a connection. If you remove the IPsec portion of the connection and the problem is alleviated, it is likely that IPsec is the problem, and you can then focus on IPsec. If the problem remains, you can work on the L2TP portion of the connection. IPsec has two modes: tunnel mode and transport mode. But because L2TP is a tunneling protocol, there is no sense in using IPsec tunneling. IPsec transport mode is used with L2TP and should be set aside for troubleshooting, as discussed. The L2TP implementation in Windows Server 2012 R2 doesn’t support MPPE.
7. C. The default configuration for RRAS supports 5 PPTP ports and 5 L2TP ports. There are up to 150 sales reps trying to connect to the server, but only the first 10 will be able to connect. You can increase the number of ports available, up to 1,000, by using the Ports Properties dialog box. The Windows 8 clients are, by default, ready to support VPNs; they will first try L2TP and then switch over to PPTP if ports are unavailable.
8. C, E and G. Because the communication is not a continuous or frequent occurrence, it doesn’t make sense to have the line always available, so RRAS with demand-dial will be less expensive than ISDN, which is always up. MS-CHAPv2 provides encryption and a mutual authentication process. The MPPE provides the encryption of the actual data that travels across the connection. PAP is a cleartext authentication method, and CHAP provides only one-way authentication. L2TP doesn’t provide any encryption by itself.
9. C. When you use Windows accounting, the local Windows account logs are found in the systemroot\System32\LogFiles folder. These logs can be stored in one of two formats for later analysis—Open Database Connectivity (ODBC) or Internet Authentication Service. The Performance Monitor utility that came with Windows NT has been replaced with the system event log. This keeps track of global service errors such as initialization failures and service starts and stops. There is no RRAS authentication log. You do have RADIUS logging available; when it’s used, the log files are stored on the RADIUS servers. This is useful when you have multiple RRAS servers because you can centralize RRAS authentication requests. Active Directory is not used to log events from the various services in Windows Server 2012 R2.
10.B. The Server Status node in the RRAS snap-in shows you a summary of all the RRAS servers known to the system. Each server entry displays whether the server is up, what kind of server it is, how many ports it has, how many ports are currently in use, and how long the server has been up.
Chapter 5: Configure a Network Policy Server Infrastructure
1. B and E. By setting the Network Policy Server, you can force your DHCP users to use NAP on all of the DHCP scopes. This ensures that client systems meet minimum requirements to connect to a domain network.
2. D. Servers that are running Network Policy Server (NPS) are required to have a certificate installed on the NPS server.
3. B. One advantage of using NAP for DHCP is that you can set up user classes so that specific machines (for example, noncompliant DHCP systems) can get specific rules or limited access to the network.
4. D. Logman creates and manages Event Trace Session and Performance logs, and it allows an administrator to monitor many different applications through the use of the command line.
5. D. The higher the RADIUS priority number, the less that the RADIUS server gets used. To make sure that RADIUS ServerD is used only when ServerB and ServerC is unavailable, you would set the RADIUS priority from 1 to 10. This way it will get used only when ServerB and ServerC are having issues or are unresponsive.
6. C. The NPS snap-in allows you to set up RADIUS servers and specify which RADIUS server would accept authentication from other RADIUS servers. You can do your entire RADIUS configuration through the NPS snap-in.
7. C. NPS allows you to set up policies on how your users could log into the network. NPS allows you to set up policies that systems needs to follow, and if they don’t follow these policies or rules, they will not have access to the full network.
8. C. Windows Server 2012 R2 comes with Extensible Authentication Protocol with Transport Level Security (EAP-TLS). This EAP type allows you to use public key certificates as an authenticator. TLS is similar to the familiar Secure Sockets Layer (SSL) protocol used for web browsers and 802.1X authentication. When EAP-TLS is turned on, the client and server send TLS-encrypted messages back and forth. EAP-TLS is the strongest authentication method you can use; as a bonus, it supports smart cards. However, EAP-TLS requires your NPS server to be part of the Windows Server 2012 R2 domain.
9. B and D. PEAP-MS-CHAP v2 is an EAP-type protocol that is easier to deploy than Extensible Authentication Protocol with Transport Level Security (EAP-TLS). It is easier because user authentication is accomplished by using password-based credentials (username and password) instead of digital certificates or smart cards. Both PEAP and EAP both use certificates with their protocols.
10.C. One advantage of NPS is that you can use the accounting part of NPS so that you can keep track of what each department does on your NPS server. This way, departments pay for the amount of time they use on the SQL server database.
Chapter 6: Configure and Manage Active Directory
1. A. Using images allows you to back up and restore your entire Windows Server 2012 R2 machine instead of just certain parts of data.
2. C. The Backup Once link allows you to start a backup on the Windows Server 2012 R2 system.
3. D. If you need to back up and restore your Windows Server 2012 R2 machine, you need to use the Windows Server Backup MMC.
4. C. To create multiple password policies, you would use ADSI Edit (or adsiedit.msc).
5. D. Universal security groups, global groups, and domain local groups are all available when you are running a Windows 2008 and Windows 2012 domain functional level.
6. B, C and E. The Account Lockout Duration setting states how long an account will be locked out if the password is entered incorrectly. The Account Lockout Threshold setting is the number of bad password attempts, and the Account Lockout Counter setting is the time in which the bad password attempts are made. Once Account Lockout Counter reaches 0, the number of bad password attempts returns to 0.
7. D. When resources are made available to users who reside in domains outside the forest, foreign security principal objects are automatically created. These new objects are stored within the Foreign Security Principals folder.
8. B. The primary method by which systems administrators create and manage application data partitions is through the ntdsutil tool.
9. A and E. To meet the requirements, Robert should use the normal backup type to create a full backup every week and the incremental backup type to back up only the data that has been modified since the last full or incremental backup operation.
10.B and D. You would need to transfer the two forestwide operations master roles: Schema Master and Domain Naming Master. This means that there can only be one Schema Master and only one Domain Naming Master per forest. The PDC Emulator Master, RID Master, and Infrastructure Master are all domain-based operations master roles. (Each domain in the forest must have a domain controller with these three roles installed.)
Chapter 7: Configure and Manage Group Policy
1. C. The Delegation of Control Wizard can be used to allow other system administrators permission to add GPO links.
2. C. The system administrator can specify whether the application will be uninstalled or whether future installations will be prevented.
3. B. You would use GPUpdate.exe /force. The /force switch forces the GPO to reapply all policy settings. By default, only policy settings that have changed are applied.
4. A. You would use the Windows PowerShell Invoke-GPUpdate cmdlet. This PowerShell cmdlet allows you to force the GPO to reapply the policies immediately.
5. D. DVD Present Targeting is not one of the options that you may consider when using item-level targeting.
6. A and B. If you want your clients to be able to edit domain-based GPOs by using the ADMX files that are stored in the ADMX Central Store, you must be using Windows Vista, Windows 7, Windows 8, or Windows Server 2003/2008/2008 R2/2012/2012 R2.
7. D. If you assign an application to a user, the application does not get automatically installed. To have an application automatically installed, you must assign the application to the computer account. Since Finance is the only OU that should receive this application, you would link the GPO to Finance only.
8. C. The Resultant Set of Policy (RSoP) utility displays the exact settings that apply to individual users, computers, OUs, domains, and sites after inheritance and filtering have taken effect. Desktop wallpaper settings are under the User section of the GPO, so you would run the RSoP against the user account.
9. B. The Enforced option can be placed on a parent GPO, and this option ensures that all lower-level objects inherit these settings. Using this option ensures that Group Policy inheritance is not blocked at other levels.
10.A. If the data transfer rate from the domain controller providing the GPO to the computer is slower than what you have specified in the slow link detection setting, the connection is considered to be a slow connection, and the application will not install properly.