Skip Navigation Links
 

Microsoft - 70-742: Identity with Windows Server 2016

Sample Questions

Question: 254
Measured Skill: Create and manage Group Policy (25–30%)

Your network contains an Active Directory forest named fabrikam.com. The forest contains three domains named fabrikam.com, sales.fabrikam.com, and contoso.com.

You recently added a site named Europe.

The forest contains four users who are members of the groups shown in the following table.



You need to create a Group Policy object (GPO) named GPO1 and to link GPO1 to the Europe site.

Which users can perform each task?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AUsers who can create GPO1: User1, User2, User3, and User4
Users who can link GPO1 to Europe: User1 and User2 only
B Users who can create GPO1: User2 only
Users who can link GPO1 to Europe: User1, User2, User3, and User4
C Users who can create GPO1: User1 only
Users who can link GPO1 to Europe: User4 only
D Users who can create GPO1: User1 and User2 only
Users who can link GPO1 to Europe: User2 only
E Users who can create GPO1: User1, User2, User3, and User4
Users who can link GPO1 to Europe: User1, User2, User3, and User4
F Users who can create GPO1: User2 only
Users who can link GPO1 to Europe: User2 only

Correct answer: A

Explanation:

To link an existing GPO to a site, domain, or OU, you must have Link GPOs permission on that site, domain, or OU. By default, only domain administrators and enterprise administrators have this privilege for domains and OUs. Enterprise administrators and domain administrators of the forest root domain have this privilege for sites.

To create and link a GPO, you must have Link GPOs permissions on the desired domain or organizational unit, and you must have permission to create GPOs in that domain. By default, only domain administrators, enterprise administrators, and Group Policy Creator owners have permission to create GPOs.

The question does not specify in which domain GPO1 should be created. Each of the four users has the required permissions to create a Group Policy object (in his domain).

Question: 255
Measured Skill: Manage and maintain AD DS (15–20%)

Your company has a main office and a branch office. The two offices connect to each other by using a WAN link.

Your network contains an Active Directory forest named contoso.com. The forest contains a domain controller named DC1. All of the domain controllers are located in the main office.

You install a read-only domain controller (RODC) named RODC1 in the branch office.

You create a user account for a new user named User1. You add User1 to the Allowed RODC Password Replication Group. User1 starts work on Monday.

You are notified that the WAN link will be down for maintenance on Monday.

You need to ensure that User1 can log on in the branch office site on Monday.

Which command should you run?

(To answer, select the appropriate options in the answer area)

www.cert2brain.com

Aclonepr /rodcpwdrepl rodc1.fabrikam.com dc1.fabrikam.com "cn=user1,ou=users,dc=fabrikam,dc=com"
B clonepr /prp rodc1.fabrikam.com dc1.fabrikam.com "cn=user1,ou=users,dc=fabrikam,dc=com"
C ldifde /syncall rodc1.fabrikam.com dc1.fabrikam.com "cn=user1,ou=users,dc=fabrikam,dc=com"
D repadmin /rodcpwdrepl rodc1.fabrikam.com dc1.fabrikam.com "cn=user1,ou=users,dc=fabrikam,dc=com"
E repadmin /replicate rodc1.fabrikam.com dc1.fabrikam.com "cn=user1,ou=users,dc=fabrikam,dc=com"
F replmon /syncall rodc1.fabrikam.com dc1.fabrikam.com "cn=user1,ou=users,dc=fabrikam,dc=com"

Correct answer: D

Explanation:

User credentials of members of the Allowed RODC Password Replication Group are allowed to be cached on a RODC. The credentials will be cached, the first time the user gets authenticated by the RODC.

Since User1 has not been authenticated by RODC1 yet, we need to ensure that User1´s credentials are available on RODC1 on Monday.

Repadmin /rodcpwdrepl triggers replication of passwords for the specified users from a writable Windows Server source domain controller to one or more read-only domain controllers (RODCs).

For each destination RODC, the source domain controller enforces the Password Replication Policy (PRP) before it performs the operation. If the PRP does not permit replicating the password to an RODC for a specified user, the operation for that user and RODC combination fails.

The following example triggers replication of the passwords for the user account named JaneOh from the source domain controller named source-dc01 to all RODCs that have the name prefix dest-rodc:

repadmin /rodcpwdrepl dest-rodc* source-dc01 cn=JaneOh,ou=execs,dc=contoso,dc=com

Question: 256
Measured Skill: Install and configure Active Directory Domain Services (AD DS) (20–25%)

Your network contains an Active Directory forest named contoso.com. The forest contains the root domain and two child domains named child1.contoso.com and child2.contoso.com.

Child1 contains three domain controllers named DC1, DC2, and DC3. Child2 contains one domain controller named DC4.

You have two accounts named Child1\Admin1 and Child2\Admin2 that you use to perform administrative tasks. Currently, the accounts can manage only the member servers in their respective domain.

You plan to demote DC3 and to remove the Child2 domain.

You need to ensure that Admin1 can demote DC3 and that Admin2 can demote DC4. The solution must use the principle of least privilege.

To which groups should you add Admin1 and Admin2?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AAdmin1: Child1\Domain Admins
Admin2: Contoso\Enterprise Admins
B Admin1: Child1\Server Operators
Admin2: Child2\Server Operators
C Admin1: Contoso\Domain Admins
Admin2: Contoso\Schema Admins
D Admin1: Contoso\Domain Admins
Admin2: Contoso\Domain Admins
E Admin1: Contoso\Enterprise Admins
Admin2: Child2\Domain Admins
F Admin1: Contoso\Schema Admins
Admin2: Contoso\Schema Admins

Correct answer: A

Explanation:

Demoting an additional domain controller requires Domain Admin credentials.

Demoting the last domain controller in a domain requires Enterprise Admins group membership, as this removes the domain itself (if the last domain in the forest, this removes the forest). Server Manager informs you if the current domain controller is the last domain controller in the domain. Select the Last domain controller in the domain check box to confirm the domain controller is the last domain controller in the domain.

Reference: Demoting Domain Controllers and Domains

Question: 257
Measured Skill: Create and manage Group Policy (25–30%)

Your network contains a single-domain Active Directory forest named contoso.com. The forest functional level is Windows Server 2016.

You plan to create and link a Group Policy object (GPO) named GPO1. GPO1 will contain user settings only.

You plan to apply GPO1 only to users who are members of a group named Group1.

You need to ensure that GPO1 only applies to the members of Group1. The solution must use the principle of least privilege.

What should you configure?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AAssign both Read and Apply group policy permissions to: Authenticated Users
Assign only Read permissions to: Group1
Group to remove from the permissions: Domain Computers
B Assign both Read and Apply group policy permissions to: Authenticated Users
Assign only Read permissions to: Domain Computers
Group to remove from the permissions: Domain Controllers
C Assign both Read and Apply group policy permissions to: Domain Computers
Assign only Read permissions to: Domain Controllers
Group to remove from the permissions: Group1
D Assign both Read and Apply group policy permissions to: Domain Controllers
Assign only Read permissions to: Domain Users
Group to remove from the permissions: Group1
E Assign both Read and Apply group policy permissions to: Domain Users
Assign only Read permissions to: Domain Controllers
Group to remove from the permissions: Authenticated Users
F Assign both Read and Apply group policy permissions to: Group1
Assign only Read permissions to: Domain Computers
Group to remove from the permissions: Authenticated Users

Correct answer: F

Explanation:

The default group policy permission are as shown in the following exhibit:



Note: Authenticated Users includes every authenticated object to Active Directory, which would include all domain users, groups (defined and part of AD), and computers that have been joined to the domain.

We need to ensure that Group1 has Read and Apply group policy permissions.

Since group policies are processed using the computer security context, the domain computers need read permission.

To prevent the Group Policy from being applied to users who are not members of Group1, the Authenticated Users group must be revoked.

Note: Microsoft released a security patch in 2016 that affected, how group policies are processed. After the patch applied, user group policies are retrieved from SYSVOL differently than before. Prior to the update, domain joined computers used the user’s security context to make the connection and retrieve the policies. After the update is applied, domain joined computers will now retrieve all policies using the computer security context. The users that get the policy is still controlled by the policy scope just like before. The only change is the computer is getting the policy for the user.

Reference: Who broke my user GPOs?

Question: 258
Measured Skill: Install and configure Active Directory Domain Services (AD DS) (20–25%)

Your network contains an Active Directory domain. The domain contains two domain controllers named DC1 and DC2. DC2 is a virtual machine that is hosted on a Hyper-V host named HyperV1. DC1 holds the PDC emulator operations master role.

You need to create a new domain controller named DC3 by using domain controller cloning.

Which five actions should you perform in sequence before you can import the cloned virtual machine?

(To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.)

www.cert2brain.com

ASequence: 5, 1, 4, 6, 3
B Sequence: 2, 1, 4, 6, 3
C Sequence: 6, 4, 1, 3, 5
D Sequence: 6, 3, 1, 4, 5

Correct answer: B

Explanation:

The first step in the cloning process is to add the source DC to the Cloneable Domain Controllers group.

Second, you should use the Get-ADDCCloningExcludedApplicationList cmdlet to check, if there are any services or third party apps installed that prevent the domain controller from beeing cloned.

Then you can use the New-ADDCCloneConfigFile cmdlet to create the DCCloneConfig.xml configuration file. DCCloneConfig.xml is an XML configuration file that contains all of the settings the cloned DC will take when it boots. This includes network settings, DNS, WINS, AD site name, new DC name and more.

The last step now is to export the source virtual machine. This can be accomplished via PowerShell or the Hyper-V management console. First, turn off the source DC then export the VM.

Virtual Domain Controller Cloning in Windows Server 2012



 
Tags: exam, examcollection, exam simulation, exam questions, questions & answers, training course, study guide, vce, braindumps, practice test
 
 

© Copyright 2014 - 2019 by cert2brain.com