Your network contains an Active Directory domain named contoso.com.
You need to audit access to removable storage devices.
Which audit category should you configure?
To answer, select the appropriate category in the answer area.
Advanced Security Auditing Options – Configure Object Access > Audit Removable storage http://technet.microsoft.com/en-us/library/jj574128.aspx
Your network contains an Active Directory domain named adatum.com. You need to audit changes to the files in the SYSVOL shares on all of the domain controllers. The solution must minimize the amount of SYSVOL replication traffic caused by the audit.
Which two settings should you configure? (Each correct answer presents part of the solution. Choose two.)
A. Audit Policy\Audit system events
B. Advanced Audit Policy Configuration\DS Access
C. Advanced Audit Policy Configuration\Global Object Access Auditing
D. Audit Policy\Audit object access
E. Audit Policy\Audit directory service access
F. Advanced Audit Policy Configuration\Object Access
Your network contains an Active Directory domain named contoso.com.
You have several Windows PowerShell scripts that execute when client computers start. When a client computer starts, you discover that it takes a long time before users are prompted to log on.
You need to reduce the amount of time it takes for the client computers to start. The solution must not prevent scripts from completing successfully.
Which setting should you configure? To answer, select the appropriate setting in the answer area.
Lets the system run startup scripts simultaneously rather than waiting for each to finish http://technet.microsoft.com/en-us/library/cc939423.aspx
Drag and Drop Question
You are a network administrator of an Active Directory domain named contoso.com. You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the Web Server (IIS) server role installed. Server1 will host a web site at URL https:// secure.contoso.com. The application pool identity account of the web site will be set to a domain user account named AppPool1. You need to identify the setspn.exe command that you must run to configure the appropriate Service Principal Name (SPN) for the web site.
What should you run? To answer, drag the appropriate objects to the correct location. Each object may be used once, more than once, or not at all.
* -s <SPN>
Adds the specified SPN for the computer, after verifying that no duplicates exist.
Usage: setspn -s SPN accountname
For example, to register SPN “http/daserver” for computer “daserver1”:
setspn -S http/daserver daserver1
Your network contains an Active Directory domain named contoso.com. You deploy a web-based application named App1 to a server named Server1. App1 uses an application pool named AppPool1. AppPool1 uses a domain user account named User1 as its identity. You need to configure Kerberos constrained delegation for User1.
Which three actions should you perform? To answer, move the three appropriate actions from the list of actions to the answer area and arrange them in the correct order
First answer should be “setspn -L” – to check for SPNs of User1. After that we should add HTTP SPN for User1 “setspn -s” so delegation tab appears and we can select “Trust this user for delegation to specified services only”
Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. The domain contains 500 client computers that run Windows 8 Enterprise.
You implement a Group Policy central store.
You have an application named Appl. Appl requires that a custom registry setting be deployed to all of the computers.
You need to deploy the custom registry setting. The solution must minimize administrator effort.
What should you configure in a Group Policy object (GPO)?
A. The Administrative Templates
B. An application control policy
C. The Group Policy preferences
D. Software installation setting
Your network contains an Active Directory domain called contoso.com. The domain contains a domain controller named DC1 that runs Windows Server 2012 R2. The domain contains some test client computers that run either Windows XP, Windows Vista, Windows 7, or Windows 8. The computer accounts for the test computers are located in an organizational unit (OU) named OU1. You have a Group Policy object (GPO) named GPO1 linked to OU1. GPO1 is used to assign several applications to the test computers.
You need to ensure that when the test computers in OU1 restart, you can see which application installation is running currently.
Which setting should you modify in GPO1? To answer, select the appropriate setting in the answer area.
Allows you to receive verbose startup, shutdown, logon, and logoff status messages. Verbose status messages may be helpful when you are troubleshooting slow startup, shutdown, logon, or logoff behavior.
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1 that runs Windows Server 2012 R2.
You create an Active Directory snapshot of DC1 each day.
You need to view the contents of an Active Directory snapshot from two days ago.
What should you do first?
A. Run the dsamain.exe command.
B. Stop the Active Directory Domain Services (AD DS) service.
C. Run the ntdsutil.exe command.
D. Start the Volume Shadow Copy Service (VSS).
Your network contains an Active Directory domain named adatum.com. All domain controllers run Windows Server 2012 R2. The domain contains a virtual machine named DC2.
On DC2, you run Get-ADDCCloningExcludedApplicationList and receive the output shown in the following table.
You need to ensure that you can clone DC2.
Which two actions should you perform?
(Each correct answer presents part of the solution.
A. Create an empty file named CustomDCClonesAllowList.xml
B. Add the following information to the DCCloneConfigSchema.xsd <AllowList>
C. Create a filename DCCloneConfig.xml that contains the following information
D. Create a filename CustomDCCloneAllowList.xml that contains the following
E. Create an empty file named DCCloneConfig.xml
D: Run Get-ADDCCloningExcludedApplicationList cmdlet
In this procedure, run the Get-ADDCCloningExcludedApplicationList cmdlet on the source virtualized domain controller to identify any programs or services that are not evaluated for cloning. You need to run the Get-ADDCCloningExcludedApplicationList cmdlet before the New-ADDCCloneConfigFile cmdlet because if the New-ADDCCloneConfigFile cmdlet detects an excluded application, it will not create a DCCloneConfig.xml file.
To identify applications or services that run on a source domain controller which have not been evaluated for cloning
1. On the source domain controller (VirtualDC1), click Server Manager, click Tools, click Active Directory Module for Windows PowerShell and then type the following command:
2. Vet the list of the returned services and installed programs with the software vendor to determine whether they can be safely cloned. If applications or services in the list cannot be safely cloned, you must remove them from the source domain controller or cloning will fail.
3. For the set of services and installed programs that were determined to be safely cloned, run the command again with the 璆enerateXML switch to provision these services and programs in the CustomDCCloneAllowList.xml file.
E: The clone domain controller will be located in the same site as the source domain controller unless a different site is specified in the DCCloneConfig.xml file.
* The Get-ADDCCloningExcludedApplicationList cmdlet searches the local domain controller for programs and services in the installed programs database, the services control manager that are not specified in the default and user defined inclusion list. The applications in the resulting list can be added to the user defined exclusion list if they are determined to support cloning. If the applications are not cloneable, they should be removed from the source domain controller before the clone media is created. Any application that appears in cmdlet output and is not included in the user defined inclusion list will force cloning to fail.
* The Get-ADDCCloningExcludedApplicationList cmdlet needs to be run before the New- ADDCCloneConfigFile cmdlet is used because if the New-ADDCCloneConfigFile cmdlet detects an excluded application, it will not create a DCCloneConfig.xml file.
* DCCloneConfig.xml is an XML configuration file that contains all of the settings the cloned DC will take when it boots. This includes network settings, DNS, WINS, AD site name, new DC name and more. This file can be generated in a few different ways.
The New-ADDCCloneConfig cmdlet in PowerShell
By hand with an XML editor
By editing an existing config file, again with an XML editor (Notepad is not an XML editor.) Reference: Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100)
Your network contains an Active Directory domain named contoso.com. The domain contains a member server named Server1. Server1 has the Web Server (IIS) server role installed. On Server1, you install a managed service account named Service1.
You attempt to configure the World Wide Web Publishing Service as shown in the exhibit. (Click the Exhibit button.)
You receive the following error message:
“The account name is invalid or does not exist, or the password is invalid for the account name specified.”
You need to ensure that the World Wide Web Publishing Service can log on by using the managed service account.
What should you do?
A. Specify contoso\service1$ as the account name.
B. Specify [email protected] as the account name.
C. Reset the password for the account.
D. Enter and confirm the password for the account.
A. There must be a dollar sign ($) at the end of the account name in the Services snap-in console. When you use the Services snap-in console, the SeServiceLogonRight logon right is automatically assigned to the account. If you use the Sc.exe tool or APIs to configure the account, the account has to be explicitly granted this right by using tools such as the Security Policy snap-in, Secedit.exe, or NTRights.exe.
B. Logon right not automatically granted
C. Not a password issue “I assume” not exhibit present
D. Password not needed when using MSA
http://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx http://blogs.technet.com/b/askds/archive/2009/09/10/managed-service-accounts-understanding- implementingbest-practices-and-troubleshooting.aspx
Passing Microsoft 70-411 Exam successfully in a short time! Just using Braindump2go’s Latest Microsoft 70-411 Dump: