[2017 PDF&VCE] Lead2pass 2017 New 70-411 Exam PDF Ensure 70-411 Certification Exam Pass Successfully (221-240)

Lead2pass 2017 September New Microsoft 70-411 Exam Dumps

100% Free Download! 100% Pass Guaranteed!

2017 latest released Microsoft official 70-411 exam question free download from Lead2pass! All new updated questions and answers are real questions from Microsoft Exam Center!

Following questions and answers are all new published by Microsoft Official Exam Center: https://www.lead2pass.com/70-411.html

QUESTION 221
Hotspot Question
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2.
Server1 has the Windows Server Update Services server role installed.
You need to use the Group Policy object (GPO) to assign members to a computer group.
Which setting should you configure in the GPO?
To answer, select the appropriate setting in the answer area.

 

Answer:

 

Explanation:
Client-side targeting involves automatically assigning the computers by using either Group Policy or registry keys. Second, create the computer group in WSUS. Third, move the computers into groups by using whichever method you chose in the first step.
http://technet.microsoft.com/en-us/library/cc720433(v=ws.10).aspx

QUESTION 222
The contoso.com domain contains a a DNS server named Server1 that host a primary zone. Server2 contains a a secondary zone for the contoso.com doamin.
You need to configure how long Server2 queries Server1 to renew the zone.
What should you configure?

A.    Retry Interval
B.    Minimum TTL
C.    Refresh Interval
D.    Authority Record

Answer: C
Explanation:
A. The time, in seconds, a secondary server waits before retrying a failed zone transfer. Normally, this time is less than the refresh interval. The default value is 600 seconds (10 minutes).
B The default Time-To-Live (TTL) of the zone and the maximum interval for caching negative answers to name queries. The default value is 3,600 seconds (1 hour).
C. The time, in seconds, that a secondary DNS server waits before querying its source for the zone to attempt renewal of the zone. When the refresh interval expires, the secondary DNS server requests a copy of the current SOA record for the zone from its source, which answers this request. The secondary DNS server then compares the serial number of the source server’s current SOA record (as indicated in the response) with the serial number in its own local SOA record. If they are different, the secondary DNS server requests a zone transfer from the primary DNS server. The default for this field is 900 seconds (15 minutes).
D.
http://technet.microsoft.com/en-us/library/cc779148(v=ws.10).aspx

QUESTION 223
Hotspot Question
Your network contains an Active Directory domain named contoso.com. The domain contains three member servers named Server1, Server2, and Server3. All servers run Windows Server 2012 R2 and have the Windows Server Update Services (WSUS) server role installed.
Server1 and Server2 are configured as replica servers that use Server3 as an upstream server. You remove Server3 from the network.
You need to ensure that WSUS on Server2 retrieves updates from Server1.
The solution must ensure that Server1 and Server2 have the latest updates from Microsoft.
Which command should you run on each server?
To answer, select the appropriate command to run on each server in the answer area.

 

Answer:

 

Explanation:
With the cmdlet Set-WsusServerSynchronization can be determined whether a Windows Server Update Services (WSUS) server updates from Microsoft Update or an upstream server synchronized.

The parameter -SyncFromMU indicates that update servers should be synchronized from Microsoft. The parameter -UssServerName server name indicates that you want to synchronize from the upstream server specified.

QUESTION 224
Your network contains an Active Directory domain named contoso.com.
The domain contains a domain controller named DC1 that runs Windows Server 2012 R2.
You mount an Active Directory snapshot on DC1.
You need to expose the snapshot as an LDAP server.
Which tool should you use?

A.    ADSI Edit
B.    Ntdsutil
C.    Dsamain
D.    Ldp

Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc772168.aspx
https://technet.microsoft.com/en-us/library/cc772168(v=ws.11).aspx

QUESTION 225
Your network contains an Active Directory domain named contoso.com.
The domain contains a server named Server1 that runs Windows Server 2012 R2.
Server1 has a drive named E that is encrypted by using BitLocker Drive Encryption (BitLocker).
A recovery key is stored on drive C. Drive E becomes locked.
When you attempt to use the recovery key, you receive the following error message.

 

You need to access the data stored on drive E.
What should you run first?

A.    manage-bde -protectors -get e:
B.    manage-bde -unlock e: -recoverykey c:\
C.    disable-bitlocker -mountpoint e:
D.    unlock-bitlocker -mountpoint e: -recoverykeypath c:

Answer: A
Explanation:
With the call Manage-bde -protectors -get E:
You can use the key protectors (protectors) list of a BitLocker-protected volumes. The ID numbers of protectors allow you to identify the matching key. With the cmdlet unlock BitLocker access can be restored to a BitLocker-protected volume. For unlocking of the following key protection devices can be used:

Active Directory domain account
Password (Password)
Recovery key (RecoveryKey)
Recovery password (Password Recovery)

With Unlock BitLocker and specifying the path of the recovery key would drive E can be unlocked directly. The question “What command run first?” but suggests that prior to unlocking more detailed information should be found for encryption.

Note:
manage-bde
can with the parameter unlock as the cmdlet unlock BitLocker be used to unlock a protected volume. The parameter recoverykey the command-line tool manage-bde but requires the full specification of the path of a recovery key (eg “C: \ Keys \ recoverykey.bek”).

QUESTION 226
Your network contains an Active Directory domain named contoso.com.
All user accounts reside in an organizational unit (OU) named OU1.
You create a Group Policy object (GPO) named GPO1.
You link GPO1 to OU1.
You configure the Group Policy preference of GPO1 to add a shortcut named Link1 to the desktop of each user.
You discover that when a user deletes Link1, the shortcut is removed permanently from the desktop.
You need to ensure that if a user deletes Link1, the shortcut is added to the desktop again.
What should you do?

A.    Modify the Link1 shortcut preference of GPO1.
B.    Enable loopback processing in GPO1.
C.    Enforce GPO1.
D.    Modify the Security Filtering settings of GPO1.

Answer: A
Explanation:
This type of preference item provides a choice of four actions: Create, Replace, Update, and Delete. The behavior of the preference item varies with the action selected and whether the shortcut already exists.

 

http://technet.microsoft.com/en-us/library/cc753580.aspx
http://technet.microsoft.com/en-us/library/cc753580.aspx

QUESTION 227
Your network contains an Active Directory forest named contoso.com. The forest contains two sites named Main and Branch. The Main site contains 400 desktop computers and the Branch site contains 150 desktop computers. All of the desktop computers run Windows 8. In Main, the network contains a member server named Server1 that runs Windows Server 2012 R2.
You install the Windows Server Update Services server role on Server1.
You need to ensure that Windows updates obtained from Windows Server Update Services (WSUS) are the same for the computers in each site.
You want to achieve this goal by using the minimum amount of administrative effort.
What should you do?

A.    From the Update Services console, create computer groups.
B.    From the Update Services console, configure the Computers options.
C.    From the Group Policy Management console, configure the Windows Update settings.
D.    From the Group Policy Management console, configure the Windows Anytime Upgrade settings.
E.    From the Update Services console, configure the Synchronization Schedule options.

Answer: C
Explanation:
In the section Computer Configuration \ Administrative Templates \ Windows Components \ Windows Update a GPO (GPOs) can be configured at a central location all the relevant settings for the Windows Update configuration of the desktop computer.

 

QUESTION 228
Your network contains an Active Directory forest named contoso.com. The domain contains three servers. The servers are configured as shown in the following table.

 

You plan to implement the BitLocker Drive Encryption (BitLocker) Network Unlock feature.
You need to identify which server role must be deployed to the network to support the planned implementation.
Which role should you identify?

A.    Network Policy and Access Services
B.    Volume Activation Services
C.    Active Directory Rights Management Services
D.    Windows Deployment Services

Answer: D
Explanation:
Windows Deployment Services (WDS) is a server role that enables you to remotely deploy Windows operating systems. You can use it to set up new computers by using a networkbased installation. This means that you do not have to install each operating system directly from a CD, USB drive or DVD. To use Windows Deployment Services, you should have a working knowledge of common desktop deployment technologies and networking components, including Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), and Active Directory Domain Services (AD DS). It is also helpful to understand the Preboot eXecution Environment (also known as Pre-Execution Environment).

QUESTION 229
Drag and Drop Question
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1.
You need to create an Active Directory snapshot on DC1.
Which four commands should you run?
To answer, move the four appropriate commands from the list of commands to the answer area and arrange them in the correct order.

 

Answer:

 

Explanation:
http://technet.microsoft.com/nl-nl/library/cc753609%28v=ws.10%29.aspx
http://mizitechinfo.wordpress.com/2013/08/13/simple-step-create-a-snapshot-of-ad-ds-in-windows-server-2012-r2-by-using-ntdsutil/

QUESTION 230
Hotspot Question
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Print1.
Your company implements DirectAccess. A user named User1 frequently works at a customer’s office. The customer’s office contains a print server named Print1. While working at the customer’s office, User1 attempts to connect to Print1.
User1 connects to the Print1 server in contoso.com instead of the Print1 server at the customer’s office.
You need to provide User1 with the ability to connect to the Print1 server in the customer’s office.
Which Group Policy option should you configure?
To answer, select the appropriate option in the answer area.

 

Answer:

 

Explanation:
The policy setting allowing favoring local name indicates whether the user has the DirectAccess-entry options for connecting and disconnecting available when the user clicks on the icon for the network system tray.

When a user clicks on the “Disconnect” option, removed the NCA the DirectAccess rules from the policy table for name resolution (Name Resolution Policy Table, NRPT) and the DirectAccess client computer uses the next available normal name resolution in its current network configuration.

This includes sending all DNS queries to the local intranet or Internet DNS server. Note that the NCA does not remove existing IPsec tunnel and users can access Internet resources on the DirectAccess server continues by instead of names IPv6 addresses specify. Use the “Disconnect” option allows users to while connected to another Intranet specify unqualified names with a name (z. B. “PRINTSVR”) for local resources.

The same applies to the temporary access to intranet resources when the network location determination has erroneously recognized that the DirectAccess client computer is connected to its own Intranet. Use the “Connect” option allows users to DirectAccess rules to recover in the policy table for name resolution and the normal DirectAccess use functions.

QUESTION 231
Hotspot Question
Your network contains an Active Directory domain named contoso.com.
You need to create a certificate template for the BitLocker Drive Encryption (BitLocker) Network Unlock feature.
Which Cryptography setting of the certificate template should you modify?
To answer, select the appropriate setting in the answer area.

 

Answer:

 

Explanation:
Minimum key size should be 2048
https://technet.microsoft.com/en-us/library/jj574173.aspx#BKMK_CreateCertTmpl

QUESTION 232
Your network contains an Active Directory forest named contoso.com.
The forest functional level is Windows Server 2012 R2. The forest contains a single domain.
You create a Password Settings object (PSO) named PSO1.
You need to delegate the rights to apply PSO1 to the Active Directory objects in an organizational unit named OU1.
What should you do?

A.    From Active Directory Users and Computers, run the Delegation of Control Wizard.
B.    From Active Directory Administrative Center, modify the security settings of PSO1.
C.    From Group Policy Management, create a Group Policy object (GPO) and link the GPO to OU1.
D.    From Active Directory Administrative Center, modify the security settings of OU1.

Answer: B
Explanation:
PSOs cannot be applied to organizational units (OUs) directly. If your users are organized into OUs, consider creating global security groups that contain the users from these Ous and then applying the newly defined finegrained password and account lockout policies to them. If you move a user from one OU to another, you must update user memberships in the corresponding global security groups.
Go ahead and hit “OK” and then close out of all open windows. Now that you have created a password policy, we need to apply it to a user/group. In order to do so, you must have “write” permissions on the PSO object. We’re doing this in a lab, so I’m Domain Admin.
Write permissions are not a problem : )
1. Open Active Directory Users and Computers (Start, point to Administrative Tools, and then click Active Directory Users and Computers).
2. On the View menu, ensure that Advanced Features is checked.
3. In the console tree, expand Active Directory Users and Computers\yourdomain\System\Password Settings Container
4. In the details pane, right-click the PSO, and then click Properties.
5. Click the Attribute Editor tab.
6. Select the msDS-PsoAppliesTo attribute, and then click Edit.

QUESTION 233
Your network contains an Active Directory forest named contoso.com. The forest contains two domains named contoso.com and childl.contoso.com. All domain controllers run Windows Server 2012 R2. The domain contains four domain controllers.
The domain controllers are configured as shown in the following table.

 

You open Active Directory Users and Computers on a client computer and connect to DC1.
You display the members of a group named Group1 as shown in the Group1 Members exhibit. (Click the Exhibit button.)

 

When you view the properties of a user named Userl02, you receive the error message shown in the Error exhibit. (Click the Exhibit button.)

 

The error message does not display for any other members of Group1.
You need to identify which domain controller causes the issue shown in the error message. Which domain controller should you identify?

A.    DC1
B.    DC2
C.    DC10
D.    DC11

Answer: B
Explanation:
The infrastructure master for a domain periodically examines the references, within its replica of the directory data, to objects not held on that domain controller. It queries a Global Catalog server for current information about the distinguished name and SID of each referenced object. If this information has changed, the infrastructure master makes the change in its local replica and also replicates the new values to other domain controllers within the domain.
The error hints the object reference is not updated in Infrastructure Master of Contoso.com domain.

QUESTION 234
Your network contains an Active Directory domain named contoso.com.
All servers run Windows Server 2012. The domain contains a file server named Server1.
All client computers run Windows 8. Users share the client computers and frequently log on to different client computers.
You need to ensure that when the users save files in the Documents folder, the files are saved automatically to \\Server1\Users\.
The solution must minimize the amount of network traffic that occurs when the users log on to the client computers.
What should you do?

A.    From a Group Policy object (GPO), configure the Folder Redirection settings
B.    From the properties of each user account, configure the Home folder settings
C.    From the properties of each user account, configure the User profile settings
D.    From a Group Policy object (GPO), configure the Drive Maps preference.

Answer: A
Explanation:
With the Folder Redirection allows you to redirect to a new location, for example to a network share the location of specific folders within user profiles.. Folder Redirection is used in the management of user profiles and roaming user profiles. You can configure the folder redirection by using Group Policy Management Console to redirect specific user profile folders and to edit policy settings for folder redirection.
User settings and user files are typically stored in the local user in the User folder profile. The access to the files in the local user profile can only be made from the current computer. It is therefore difficult for users with more than one computer to work with the data and synchronize settings between multiple computers.
By configuring the Folder Redirection allows you to redirect the path of a folder to a new location. The path can be a folder on the local computer or a directory on a network file share. Users have the ability to use the documents on a server as if the documents were stored on the local hard disk. The documents in the folder are available to the user from any computer on the network.

 

QUESTION 235
Hotspot Question
You have a server named Server1 that runs Windows Server 2012 R2. Server1 has two network adapters and is located in a perimeter network.
You need to configure Server1 as a network address translation (NAT) server.
Which node should you use to add the NAT routing protocol?
To answer, select the appropriate node in the answer area.

 

Answer:

 

Explanation:
Additional routing protocols can be installed on the node IPv4 \ General.

QUESTION 236
Hotspot Question
You have a server named Server5 that runs Windows Server 2012 R2. Servers has the Windows Deployment Services server role installed.
You need to ensure that when client computers connect to Server5 by using PXE, the computers use an unattended file.
What should you configure?
To answer, select the appropriate tab in the answer area.

 

Answer:

 

QUESTION 237
Your network contains a server named Server1 that has the Network Policy and Access Services server role installed. All of the network access servers forward connection requests to Server1. You create a new network policy on Server1.
You need to ensure that the new policy applies only to connection requests from Microsoft RAS servers that are located on the 192.168.0.0/24 subnet.
Which two configurations should you perforin?
(Each correct answer presents part of the solution. Choose two.)

A.    Set the MS-RAS Vendor ID condition to $teelHead.
B.    Set the Called Station ID constraint to 192.168.0.
C.    Set the Client IP4 Address condition to 192.168.0.0/24.
D.    Set the MS-RAS Vendor ID condition to ^311$.
E.    Set the Called Station ID constraint to 192.168.0.0/24.
F.    Set the Client IP4 Address condition to 192.168.0.

Answer: DF
Explanation:
D: MS-RAS-Vendor Matches “^311$” ) The condition means that the policy applies only when the version of the RADIUS client is ^311$, so subsequent settings in this policy apply only to RRAS machines.
F: Client IPv4 Address
Specifies the Internet Protocol (IP) version 4 address of the RADIUS client that forwarded the connection request to the NPS server.

QUESTION 238
Your network contains an Active Directory domain named contoso.com.
The domain contains a server named Server1. Server1 is configured as a VPN server.
You need to configure Server1 to perform network address translation (NAT).
What should you do?

A.    From Network Connections, modify the Internet Protocol Version 6 (TCP/IPv6) setting of each
network adapter.
B.    From Routing and Remote Access, add an IPv4 routing protocol.
C.    From Routing and Remote Access, add an IPv6 routing protocol.
D.    From Network Connections, modify the Internet Protocol Version 4 (TCP/IPv4) setting of each
network adapter.

Answer: B
Explanation:
To configure an existing RRAS server to support both VPN remote access and NAT routing:
1. Open Server Manager.
2. Expand Roles, and then expand Network Policy and Access Services.
3. Right-click Routing and Remote Access, and then click Properties.
4. Select IPv4 Remote access Server or IPv6 Remote access server, or both.

QUESTION 239
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that has the Remote Access server role installed. DirectAccess is implemented on Server1 by using the default configuration.
You discover that DirectAccess clients do not use DirectAccess when accessing websites on the Internet.
You need to ensure that DirectAccess clients access all Internet websites by using their DirectAccess connection.
What should you do?

A.    Disable the DirectAccess Passive Mode policy setting in the DirectAccess Client Settings Group
Policy object (GPO).
B.    Configure a DNS suffix search list on the DirectAccess clients.
C.    Enable the Route all traffic through the internal network policy setting in the DirectAccess Server
Settings Group Policy object (GPO).
D.    Configure DirectAccess to enable force tunneling.

Answer: D
Explanation:
With IPv6 and the Name Resolution Policy Table (NRPT), by default, DirectAccess clients separate their intranet and Internet traffic as follows:
– DNS name queries for intranet fully qualified domain names (FQDNs) and all intranet traffic is exchanged over the tunnels that are created with the DirectAccess server or directly with intranet servers. Intranet traffic from DirectAccess clients is IPv6 traffic.
– DNS name queries for FQDNs that correspond to exemption rules or do not match the intranet namespace, and all traffic to Internet servers, is exchanged over the physical interface that is connected to the Internet. Internet traffic from DirectAccess clients is typically IPv4 traffic.
In contrast, by default, some remote access virtual private network (VPN) implementations, including the VPN client, send all intranet and Internet traffic over the remote access VPN connection. Internet-bound traffic is routed by the VPN server to intranet IPv4 web proxy servers for access to IPv4 Internet resources. It is possible to separate the intranet and Internet traffic for remote access VPN clients by using split tunneling. This involves configuring the Internet Protocol (IP) routing table on VPN clients so that traffic to intranet locations is sent over the VPN connection, and traffic to all other locations is sent by using the physical interface that is connected to the Internet.
You can configure DirectAccess clients to send all of their traffic through the tunnels to the DirectAccess server with force tunneling. When force tunneling is configured, DirectAccess clients detect that they are on the Internet, and they remove their IPv4 default route. With the exception of local subnet traffic, all traffic sent by the DirectAccess client is IPv6 traffic that goes through tunnels to the DirectAccess server.

QUESTION 240
Your network contains an Active Directory domain named contoso.com. The domain contains a read-only domain controller (RODC) named RODC1.
You create a global group named RODC_Admins.
You need to provide the members of RODC_Admins with the ability to manage the hardware and the software on R0DC1. The solution must not provide RODC_Admins with the ability to manage Active Directory objects.
What should you do?

A.    From Active Directory Users and Computers, run the Delegation of Control Wizard
B.    From a command prompt, run the dsadd computer command
C.    From Active Directory Users and Computers, configure the Managed By settings of the RODC1 account.
D.    From Active Directory Site and Services, configure the Security settings of the RODC1 server object.

Answer: C
Explanation:
Modify the Managed By tab of the RODC account properties in the Active Directory Users and Computers snap-in, as shown in the following figure. You can click Change to change which security principal is the delegated RODC administrator. You can choose only one security principal. Specify a security group rather than an individual user so you can control RODC administration permissions most efficiently. This method changes the managedBy attribute of the computer object that corresponds to the RODC to the SID of the security principal that you specify. This is the recommended way to specify the delegated RODC administrator account because the information is stored in AD DS, where it can be centrally managed by domain administrators.

 

Incorrect:
Not A: You delegate administration of a domain or organizational unit by using the Delegation of Control wizard available in the Active Directory Users and Computers snap- in.
Not B: dsadd group just adds a group to the Active Directory

More free Lead2pass 70-411 exam new questions on Google Drive: https://drive.google.com/open?id=0B3Syig5i8gpDSmRhaVRWcW5Cc1k

Lead2pass offers the latest Microsoft 70-411 exam questions and answers in PDF & VCE. We promise 100% 70-411 exam pass or full money back (Have a try- If success, you will get a high pay job! Failed, nothing, money back!)! We provide instant download of our 70-411 dumps after payment so you can study earlier than others!

2017 Microsoft 70-411 (All 449 Q&As) exam dumps (PDF&VCE) from Lead2pass:

https://www.lead2pass.com/70-411.html [100% Exam Pass Guaranteed]