Apr 2021 updated: Examcollection Microsoft 70-412 real exam 1-15

Exam Code: 70-412 (Practice Exam Latest Test Questions VCE PDF)
Exam Name: Configuring Advanced Windows Server 2012 Services
Certification Provider: Microsoft
Free Today! Guaranteed Training- Pass 70-412 Exam.

2021 Apr 70-412 Study Guide Questions:

Q1. Your network contains one Active Directory forest named contoso.com. The forest contains two child domains and six domain controllers. The domain controllers are configured as shown in the following table. 

You need to enable universal group membership caching for the Europe office and Asia office sites. 

What should you use? 

A. Set-ADSite 

B. Set-ADReplicationSite 

C. Set-ADDomain 

D. Set-ADReplicationSiteLink 

E. Set-ADGroup 

F. Set-ADForest 

G. Netdom 

Answer: B 

Explanation: 

https://technet.microsoft.com/en-us/library/hh852305(v=wps.630).aspx 

Q2. HOTSPOT 

Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. 

The network has the physical sites and TCP/IP subnets configured as shown in the following table. 

You have a web application named App1 that is hosted on six separate Web servers. DNS has the host names and IP addresses registered as shown in the following table. 

You discover that when users connect to appl.contoso.com, they are connected frequently to a server that is not on their local subnet. 

You need to ensure that when the users connect to appl.contoso.com, they connect to a server on their local subnet. The connections must be distributed across the servers that host appl.contoso.com on their subnet. 

Which two settings should you configure? 

To answer, select the appropriate two settings in the answer area. 

Answer: 

Q3. Your network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2. All servers run Windows Server 2012 R2. 

Server1 and Server2 have the Failover Clustering feature installed. The servers are configured as nodes in a failover cluster named Cluster1. 

You add two additional nodes to Cluster1. You need to ensure that Cluster1 stops running if three nodes fail. 

What should you configure? 

A. Affinity-None 

B. Affinity-Single 

C. The cluster quorum settings 

D. The failover settings 

E. A file server for general use 

F. The Handling priority 

G. The host priority 

H. Live migration 

I. The possible owner 

J. The preferred owner 

K. Quick migration 

L. the Scale-Out File Server 

Answer: C 

Explanation: 

The quorum configuration in a failover cluster determines the number of failures that the cluster can sustain. 

Reference: Understanding Quorum Configurations in a Failover Cluster 

http://technet.microsoft.com/en-us/library/cc731739.aspx 

Q4. Your network contains two DNS servers named DNS1 and DNS2 that run Windows Server 2012 R2. 

DNS1 has a primary zone named contoso.com. DNS2 has a secondary copy of the contoso.com zone. 

You need to log the zone transfer packets sent between DNS1 and DNS2. 

What should you configure? 

A. Monitoring from DNS Manager 

B. Logging from Windows Firewall with Advanced Security 

C. A Data Collector Set (DCS) from Performance Monitor 

D. Debug logging from DNS Manager 

Answer: D 

Explanation: 

Debug logging allows you to log the packets sent and received by a DNS server. Debug logging is disabled by default, and because it is resource intensive, you should only activate it temporarily when you need more specific detailed information about server performance. 

Reference: Active Directory 2008: DNS Debug Logging Facts. 

Q5. Your network contains an Active Directory domain named contoso.com. 

You deploy a server named Server1 that runs Windows Server 2012 R2. 

A local administrator installs the Active Directory Rights Management Services server role 

on Server1. 

You need to ensure that AD RMS clients can discover the AD RMS cluster automatically. 

What should you do? 

A. Run the Active Directory Rights Management Services console by using an account that is a member of the Schema Admins group, and then configure the proxy settings. 

B. Run the Active Directory Rights Management Services console by using an account that is a member of the Schema Admins group, and then register the Service Connection Point (SCP). 

C. Run the Active Directory Rights Management Services console by using an account that is a member of the Enterprise Admins group, and then register the Service Connection Point (SCP). 

D. Run the Active Directory Rights Management Services console by using an account that is a member of the Enterprise Admins group, and then configure the proxy settings. 

Answer: C 

Explanation: 

* The Active Directory Rights Management Services (AD RMS) Service Connection Point (SCP) is an object in Active Directory that holds the web address of the AD RMS certification cluster. AD RMS-enabled applications use the SCP to discover the AD RMS service; it is the first connection point for users to discover the AD RMS web services. 

* To register the SCP you must be a member of the local AD RMS Enterprise Administrators group and the Active Directory Domain Services (AD DS) Enterprise Admins group, or you must have been given the appropriate authority. 

Reference: The AD RMS Service Connection Point 

Down to date 70-412 exam cost:

Q6. HOTSPOT 

Your network contains one Active Directory forest named adatum.com. The forest contains a single domain. 

The forest contains the domain controllers configured as shown in the following table. 

Recently, a domain controller named DC4 was deployed to adatum.com. DC4 is in the Default-First-Site-Name site. 

The adatum.com site links are configured as follows. 

The schedule for SiteLink1 is shown in the SiteLink1 exhibit. (Click the Exhibit button.) 

The schedule for SiteLink2 is shown in the SiteLink2 exhibit. (Click the Exhibit button.) 

For each of the following statements, select Yes if the statement is true. Otherwise, select No. 

Answer: 

Q7. Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2. Both servers have the Hyper-V server role installed. 

You plan to replicate virtual machines between Server1 and Server2. The replication will be encrypted by using Secure Sockets Layer (SSL). 

You need to request a certificate on Server1 to ensure that the virtual machine replication is encrypted. 

Which two intended purposes should the certificate for Server1 contain? (Each correct answer presents part of the solution. Choose two.) 

A. Client Authentication 

B. Kernel Mode Code Signing 

C. Server Authentication 

D. IP Security end system 

E. KDC Authentication 

Answer: A,C 

Explanation: 

You need to use certificate-based authentication if you want transmitted data to be encrypted. 

Replica Server Certificate Requirements 

To enable a server to receive replication traffic, the certificate in the replica server must meet the following conditions 

* Enhanced Key Usage must support both Client and Server authentication 

Etc. 

Reference: Hyper-V Replica - Prerequisites for certificate based deployments 

http://blogs.technet.com/b/virtualization/archive/2012/03/13/hyper-v-replica-certificate-requirements.aspx 

Q8. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 is an enterprise root certification authority (CA) for contoso.com. 

Your user account is assigned the certificate manager role and the auditor role on the contoso.com CA. Your account is a member of the local Administrators group on Server1. 

You enable CA role separation on Server1. 

You need to ensure that you can manage the certificates on the CA. 

What should you do? 

A. Remove your user account from the local Administrators group. 

B. Assign the CA administrator role to your user account. 

C. Assign your user account the Bypass traverse checking user right. 

D. Remove your user account from the Manage auditing and security log user right. 

Answer: D 

Explanation: 

The separation of CA roles can be enforced using role separation. Once enforced, role separation only allows a user to be assigned a single role. If a user is assigned to more than one role and attempts to perform an operation on the CA, the operation is denied. For this reason, before role separation is enabled, a user should be assigned only one CA role. 

Reference: Role Separation 

Q9. Your network contains an Active Directory domain named contoso.com. The domain 

contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Active Directory Rights Management Services server role installed. 

Your company works with a partner organization that does not have its own Active Directory Rights Management Services (AD RMS) implementation. 

You need to create a trust policy for the partner organization. 

The solution must meet the following requirements: 

. Grant users in the partner organization access to protected content. . Provide users in the partner organization with the ability to create protected content. 

Which type of trust policy should you create? 

A. A federated trust 

B. Windows Live ID 

C. A trusted publishing domain 

D. A trusted user domain 

Answer: A 

Explanation: 

In AD RMS rights can be assigned to users who have a federated trust with Active 

Directory Federation Services (AD FS). This enables an organization to share access to 

rights-protected content with another organization without having to establish a separate 

Active Directory trust or Active Directory Rights Management Services (AD RMS) 

infrastructure. 

Incorrect: 

Not C. Trusted publishing domains allow one AD RMS server to issue use licenses that 

correspond with a publishing license issued by another AD RMS server, but in this scenario 

the partner organization does not have any Active Directory. 

Not D. A trusted user domain, often referred as a TUD, is a trust between AD RMS 

clusters, but in this scenario the partner organization does not have any Active Directory. 

Reference: AD RMS and AD FS Considerations 

http://technet.microsoft.com/en-us/library/dd772651(v=WS.10).aspx 

Q10. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Active Directory Certificate Services server role installed and is configured to support key archival and recovery. 

You create a new Active Directory group named Group1. 

You need to ensure that the members of Group1 can request a Key Recovery Agent certificate. 

The solution must minimize the permissions assigned to Group1. 

Which two permissions should you assign to Group1? (Each correct answer presents part of the solution. Choose two.) 

A. Read 

B. Auto enroll 

C. Write 

D. Enroll 

E. Full control 

Answer: A,D 

Explanation: 

See step 6 below. To configure the Key Recovery Agent certificate template Open the Certificate Templates snap-in. In the console tree, right-click the Key Recovery Agent certificate template. Click Duplicate Template. In Template, type a new template display name, and then modify any other optional properties as needed. On the Security tab, click Add, type the name of the users you want to issue the key recovery agent certificates to, and then click OK. Under Group or user names, select the user names that you just added. Under Permissions, select the Read and Enroll check boxes, and then click OK. 

Reference: Identify a Key Recovery Agent 

Accurate 70-412 discount pack:

Q11. You have a server named Server1 that runs Windows Server 2012 R2. Server1 is located in the perimeter network and has the DNS Server server role installed. 

Server1 has a zone named contoso.com. 

You App1y a security template to Server1. 

After you App1y the template, users report that they can no longer resolve names from contoso.com. 

On Server1, you open DNS Manager as shown in the DNS exhibit. (Click the Exhibit button.) 

On Server1, you open Windows Firewall with Advanced Security as shown in the Firewall exhibit. (Click the Exhibit button.) 

You need to ensure that users can resolve contoso.com names. 

What should you do? 

A. From Windows Firewall with Advanced Security, disable the DNS (TCP, Incoming) rule and the DNS (UDP, Incoming) rule. 

B. From DNS Manager, modify the Zone Transfers settings of the contoso.com zone. 

C. From DNS Manager, unsign the contoso.com zone. 

D. From DNS Manager, modify the Start of Authority (SOA) of the contoso.com zone. 

E. From Windows Firewall with Advanced Security, modify the profiles of the DNS (TCP, Incoming) rule and the DNS (UDP, Incoming) rule. 

Answer: E 

Explanation: 

To configure Windows Firewall on a managed DNS server . On the Server Manager menu, click Tools and then click Windows Firewall with Advanced Security. . Right-click Inbound Rules, and then click New Rule. The New Inbound Rule Wizard will launch. . In Rule Type, select Predefined, choose DNS Service from the list, and then click Next. . In Predefined Rules, under Rules, select the checkboxes next to the following 

rules: . Click Next, choose Allow the connection, and then click Finish. . Right-click Inbound Rules, and then click New Rule. The New Inbound Rule 

Wizard will launch. etc. 

Reference: Manually Configure DNS Access Settings 

Q12. Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1 that runs Windows Server 2012 R2. DC1 has the DNS Server server role installed. 

The network contains client computers that run either Linux, Windows 7, or Windows 8. 

You have a zone named adatum.com as shown in the exhibit. (Click the Exhibit button.) 

You plan to configure Name Protection on all of the DHCP servers. 

You need to configure the adatum.com zone to support Name Protection. 

What should you do? 

A. Change the zone type. 

B. Sign the zone. 

C. Add a DNSKEY record. 

D. Configure Dynamic updates. 

Answer: D 

Explanation: 

Name protection requires secure update to work. Without name protection DNS names may be hijacked. 

You can use the following procedures to allow only secure dynamic updates for a zone. Secure dynamic update is supported only for Active Directory–integrated zones. If the zone type is configured differently, you must change the zone type and directory-integrate the zone before securing it for Domain Name System (DNS) dynamic updates. 

Enable secure dynamic updates: 

Reference: DHCP: Secure DNS updates should be configured if Name Protection is 

enabled on any IPv4 scope http://technet.microsoft.com/en-us/library/ee941152(v=ws.10).aspx 

Q13. HOTSPOT 

Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Active Directory Federation Services (AD FS) server role installed. 

Adatum.com is a partner organization. 

You are helping the administrator of adatum.com set up a federated trust between adatum.com and contoso.com. The administrator of adatum.com asks you to provide a file containing the federation metadata of contoso.com. 

You need to identify the location of the federation metadata file. Which node in the AD FS 

console should you select? 

To answer, select the appropriate node in the answer area. 

Answer: 

Q14. Your network contains an Active Directory forest named contoso.com. The forest contains two domains named contoso.com and childl.contoso.com. The domains contain three domain controllers. 

The domain controllers are configured as shown in the following table. 

You need to ensure that the KDC support for claims, compound authentication, and kerberos armoring setting is enforced in the child1.contoso.com domain. 

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) 

A. Upgrade DC1 to Windows Server 2012 R2. 

B. Upgrade DC11 to Windows Server 2012 R2. 

C. Raise the domain functional level of childl.contoso.com. 

D. Raise the domain functional level of contoso.com. 

E. Raise the forest functional level of contoso.com. 

Answer: A,D 

Explanation: 

The root domain in the forest must be at Windows Server 2012 level. First upgrade DC1 to this level (A), then raise the contoso.com domain functional level to Windows Server 2012 (D). 

* (A) To support resources that use claims-based access control, the principal’s domains will need to be running one of the following: / All Windows Server 2012 domain controllers / Sufficient Windows Server 2012 domain controllers to handle all the Windows 8 device authentication requests / Sufficient Windows Server 2012 domain controllers to handle all the Windows Server 

2012 resource protocol transition requests to support non-Windows 8 devices. Reference: What's New in Kerberos Authentication http://technet.microsoft.com/en-us/library/hh831747.aspx. 

Q15. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the DNS Server server role installed. 

Server1 has a zone named contoso.com. The zone is configured as shown in the exhibit. (Click the Exhibit button.) 

You need to assign a user named User1 permission to add and delete records from the contoso.com zone only. 

What should you do first? 

A. Enable the Advanced view from DNS Manager. 

B. Add User1 to the DnsUpdateProxy group. 

C. Run the New Delegation Wizard. 

D. Configure the zone to be Active Directory-integrated. 

Answer: D 

Explanation: 

Secure dynamic updates are only supported or configurable for resource records in zones that are stored in Active Directory Domain Services (AD DS). 

Note: To modify security for a resource record 

Open DNS Manager. 

In the console tree, click the applicable zone. 

In the details pane, click the record that you want to view. 

On the Action menu, click Properties. 

On the Security tab, modify the list of member users or groups that are allowed to 

securely update the applicable record and reset their permissions as needed. 

Reference: Modify Security for a Resource Record