Download Microsoft Networking with Windows Server Certification Practice Exam Questions and Answers and more Exams Information Technology in PDF only on Docsity! Microsoft Networking with Windows Server Certification Practice Exam Questions and Answers 2024 * Question 1: Correct Which of the following are required to use SR-IOV? 1 Gps or higher NICs installed on the host machine. A supported PCI Express NIC installed on the host machine. SR-IOV installation on your existing virtual switches. High-end CPUs installed on the host machines. EXPLANATION SR-IOV must be supported by the PCI Express NIC on the host. High-speed NICs of 10 Gbs or higher are required. You must enable SR-IOV on the virtual switch when the switch is created, you can't enable it once they are created. The benefits of SR-IOV include lower CPU utilization, lower network latency, and higher network throughput. REFERENCES 9.5 Single-Root IO Virtualization (SR-IOV) 9.5.1 Single-Root IO Virtualization Overview 9.5.2 Configuring SR-IOV 9.5.3 SR-IOV Facts * Question 2: Correct You have a Windows Server 2016. Recently, your server experienced a corrupted database. Windows automatically recovered the database without any intervention on your part. Then you discover that items in the Conflicts and Deleted folder were missing. You have a need to recover these items. What should you do to recover the items? Go to recycle bin and restore the items to a new location. Recover the files from a known good backup. User PowerShell to restore the files. The files can not be recovered. EXPLANATION DSFR will automatically attempt to recover a corrupted database, but the items in the Conflicts and Deleted folder will not be recovered automatically and need to be recoverd using PowerShell. These items do not go to the Recycle Bin. Conflicts and Deleted folder items are not backed up. REFERENCES 8.4 Manage the DFS Replication Database 8.4.1 Managing the DFS Replication Database 8.4.3 Recovering a DFSR Database 8.4.4 DFS Replication Database Management Facts * Question 5: Correct Your company has recently added a traveling sales force. To allow salesmen access to the network while traveling, you install two additional servers. You configure the servers (REM1 and REM2) as remote access servers to accept incoming calls from remote clients. You configure network access policies on each server. The solution is working fine, but you find that you must make constant changes to the remote access policies. You install the Network Policy and Access Services role on a third server (REM3). You configure network access policies on REM3. Following the installation, you verify that all clients can connect to REM1 and REM2. Then you delete the custom network access policies on both servers. Now, no clients can make a remote access connection. What should you do? Configure each remote access client to dial REM3 for authentication. Configure each remote access client to use callback. Configure REM1 and REM2 with the phone number REM3. Configure each remote access client asREM3's RADIUS client. Configure REM1 and REM2 as REM3's RADIUS clients. Configure REM1 and REM2 as RADIUS proxies. EXPLANATION Configure REM1 and REM2 as REM3's RADIUS clients. Each server uses locally stored policies to grant connection requests. Originally, all clients could connect because of the policy stored on each server. When the policy was deleted, all connections were denied. Each server must be configured to forward authentication requests to REM3. To configure RADIUS clients, configure the client servers to point to the RADIUS server for authentication. On the RADIUS server, configure the server to recognize the remote access servers as RADIUS clients. REFERENCES 7.1 Install Network Policy Server (NPS) 7.1.1 NPS Overview 7.1.2 Installing NPS 7.1.3 NPS Installation Facts 7.2 NPS Templates 7.2.1 NPS Templates Overview 7.2.2 Creating NPS Templates 7.2.3 NPS Template Facts 7.3 NPS Network Policies 7.3.4 Configuring a RADIUS Client 7.3.5 Configuring a RADIUS Proxy 7.5 RADIUS Accounting 7.5.1 RADIUS Accounting 7.5.2 Configuring RADIUS Accounting 7.5.3 RADIUS Accounting Facts 7.6 Manage NPS Policies 7.6.1 Importing and Exporting NPS Policies 7.6.2 NSP Policy Management Facts * Question 6: Correct You are the administrator of a network with a single subnet. A single Windows server (Srv1) on Subnet1 is the domain controller, DNS server, and DHCP server. Due to recent expansion, you are adding a second subnet. The second subnet is connected to the first using a dedicated router. On Subnet2, you add a second Windows server (Srv2) that provides file and print services for hosts on that subnet. You want hosts on Subnet2 to receive IP addressing information from the server on Subnet1. What should you do? (Select two. Each choice is a complete solution.) On Srv2, add the Remote Access role with routing. In Routing and Remote Access, configure the Relay Agent protocol. Enable BootP forwarding on the router connecting Subnet1 to Subnet2. On Srv2, add the DHCP server role. Configure a scope for Subnet2. On Srv2, add the DHCP server role. Configure a superscope for Subnet2. On Srv2, add the Network Policy and Access Services role with routing. In Routing and Remote Access, configure the IGMP Router and Proxy protocol. EXPLANATION Because you want IP addresses to be assigned by the DHCP server in Subnet1, install Remote Access on the server and configure it as a DHCP relay agent. When clients in Subnet2 boot, the DHCP request packets will be forwarded by the server to the DHCP server in Subnet1. Without the relay agent services, DHCP broadcasts will not be forwarded through the network. You can also allow DHCP broadcasts through the router by enabling BootP forwarding. Configuring a scope on Srv2 means that clients receive IP addressing information from Srv2 (not Srv1, as stated in the requirements). Use a superscope to configure multiple address ranges for a single subnet. Configure IGMP to allow a server to route multicast messages. REFERENCES 3.5 Centralized DHCP and PXE 3.5.1 Centralized DHCP 3.5.2 Configuring a DHCP Relay Agent 3.5.3 DHCP Centralization Facts * Question 9: Correct You are the network administrator for CorpNet.xyz. The company has six internal networks that are routable within the company and use IPv4 private addressing. In preparation for the transition to IPv6, you have been asked to configure DHCP to support IPv6 address distribution. You need to create a new IPv6 scope on the DHCP server. The prefix for the scope must support private addressing and be routable on the internal network. Which prefix should you use? FD00:1:2:: FE80:: FF00:: 2002:: EXPLANATION You should use the FD00:1:2:: prefix. Private internal IPv6 addresses, Unique Local addresses, start with a prefix of either FD00 or FC00. The FF00 prefix is used for IPv6 multicast addresses. The FE80 prefix is reserved for link-ocal addresses, which are analogous to IPv4 APIPA addresses, as they are automatically assigned and used only on the local network. They are not routable. IPv6 addresses that start with a 2 are Global Unicast addresses and are used only on the internet. REFERENCES 3.4 Advanced Scopes 3.4.6 Configuring a DHCPv6 Scope 3.4.7 DHCPv6 Scope Facts * Question 10: Correct A server has the ability to recover from a hardware failure because other hardware can immediately take over when a device has malfunctioned. Which of the following is the name for this ability? RSS Load Balancing QoS Failover EXPLANATION Failover is switching to a redundant or standby computer server, system, hardware component or network when a device malfunctions. Quality of Service (QoS) allows you to configure priorities for different types of network traffic so that high-priority traffic is guaranteed delivered before regular data. Receive Side Scaling distributes network traffic to multiple CPU cores for processing. Load Balancing improves the distribution of workloads across multiple computing resources such as NICs, disk drives, and network links. REFERENCES 10.3 Implement Software Load Balancer (SLB) 10.3.1 Implement SLB 10.3.2 SLB Implementation Facts * Question 11: Correct Rachel is a system administrator. She decides to use IPAM to manage her DHCP servers. Which of the following DHCP features can be configured within IPAM? (Select all that apply.) Configure static IP addresses on client computers. Configuring DHCP Exclusions. Create and configure DHCP scopes. Configure IP helper tables. EXPLANATION Rachel can configure DHCP scopes and exclusions from IPAM. Static IPs are not configured with IPAM nor DHCP. IP helper tables are for allowing broadcast messages through routers. REFERENCES 4.2 IPAM DNS and DHCP 4.2.1 IPAM and DHCP Overview 4.2.2 Manage the DHCP Server with IPAM 4.2.3 Configure DHCP Scopes and Options with IPAM 4.3.1 Advanced IPAM Administration Overview * Question 14: Correct This question includes an image to help you answer the question. View Image You have a computer that runs Windows 10. You work out of a branch office with BranchCache configured. The configuration caches files on a server in the branch office. You run the netsh command on your client computer and see the output listed in the image. How should you modify the client configuration? Obtain an SSL certificate for the client. Change the mode to hosted cache. Enable additional firewall rules. Increase the publication cache size. Change the service startup type to automatic. EXPLANATION Your BranchCache solution is configured to use Hosted Cache mode, with content being cached on a server in the branch office. Based on the output, the operating mode for the client is distributed cache mode (see the Service Mode line). The BranchCache service does not need to be constantly running; it is started automatically when BranchCache is used by the client. An SSL certificate or additional firewall rules are not required. Only items designated as <Required> are necessary for the BranchCache configuration. Items designated as <Not Required> are not needed for successfully running BranchCache. REFERENCES 8.5.1 BranchCache Overview 8.5.2 BranchCache Facts 8.5.3 Installing BranchCache 8.5.4 Implementing Distributed Mode 8.5.5 Implementing Hosted Cache Mode 8.5.6 Implementing BranchCache for Application Servers 8.5.7 Troubleshooting BranchCache 8.5.8 BranchCache Configuration Facts * Question 15: Correct You manage a network with two locations. The main office is in Phoenix, and a branch office is in Tulsa. SRV1 is a DNS server in Phoenix. SRV1 holds the primary zone for the eastsim.local zone. To improve name resolution requests in the branch office, you place a secondary copy of the zone on SRV5 in the Tulsa location. Due to recent expansion, you are adding more servers to the Phoenix location. For each server, you manually create the A and PTR records. You find that after you add the server, computers in the Tulsa location are unable to contact the new servers for up to 10 minutes. You want to make sure that hosts in Tulsa can contact these servers using DNS as quickly as possible. What should you do? Enable DNS Notify options on the zone on SRV1. Decrease the refresh interval in the SOA record for the zone. Configure the zone to use incremental zone transfers (IXFR). Increment the zone serial number on Srv1 each time you make a change. EXPLANATION To have changes made to a zone as quickly as possible, configure the zone to support DNS Notify. When a change is made, the primary server notifies any listed servers in the notify list. These servers can then initiate zone transfer to receive the necessary changes. Decreasing the refresh interval in the SOA record will cause secondary servers to check the master server for zone changes more frequently, but will still result in a delay. When you add a record to the DNS database through the DNS console, the zone serial number is automatically incremented. Simply changing the zone serial number does not trigger zone transfer. Instead, the secondary server waits until the refresh interval expires before checking to see if changes have taken place. REFERENCES 1.3 Primary and Secondary DNS Zones 1.3.1 DNS Zones 1.3.2 Creating a Primary Zone 1.3.3 Creating a Secondary Zone 1.3.5 DNS Zone Facts 1.3.6 Create a Zone 1.3.7 Create a Reverse Lookup Zone 1.3.9 Convert a Zone to Active Directory-Integrated * Question 16: Correct You use a Windows client system on your desktop. Your company has begun migrating your network to IPv6. You need to configure your computer with a static IPv6 address. Which command should you use to configure a static IPv6 address? netstat ipconfig netsh net use EXPLANATION The netsh command is used to manually configure network interfaces with IPv6 information, such as the IP address, default gateway, and DNS server addresses. Use ipconfig to view configuration information, purge the DNS cache, or release and renew DHCP leases. Use net use to map drives to shared resources. Use netstat to view protocol statistics and TCP/IP connections. REFERENCES 2.2.1 IPv6 Addressing 2.2.2 IPv6 Subnetting 2.2.5 IPv6 Addressing Facts 1.4.7 Create a Root Zone 1.5.8 Create a Zone and Add Records * Question 18: Correct A virtual NIC's performance is increased because it can deliver packets from the external network directly to the virtual NIC, bypassing the management operating system. Which technology allows the NIC to do this? SMB Direct Quality of Service (QoS) Receive Side Scaling (RSS) Virtual Machine Queue (VMQ) EXPLANATION VMQ allows a network interfaces to transfer incoming frames directly to NICs using Direct Memory Access. This avoids copying them from the operating system to the virtual machine. SMB Direct allows direct memory-to-memory data transfers between servers with very little or no CPU usage. Receive Side Scaling (RSS) distributes network traffic to multiple CPU cores for processing. Quality of Service (QoS) allows you to configure priorities for different types of network traffic so that higher priority traffic is guaranteed delivered before regular data. REFERENCES 9.3 Virtual Machine Queue (VMQ) and Receive Side Scaling (RSS) 9.3.4 Configuring vRSS on a VMQ Network Adapter 9.3.6 VMQ and RSS Facts 2.1.8 Configuring IPv4 2.1.9 IPv4 Addressing Facts 2.2 IPv6 Addresses 2.2.2 IPv6 Subnetting * Question 19: Correct You have a laptop computer that runs Windows 10. The computer is a member of a domain. You want to use DirectAccess to access application servers on your corporate intranet. Application servers are currently running Windows Server 2008. You need to implement a solution that accomplishes the following: All communications sent to the private network over the internet are encrypted. Client computers authenticate with application servers on the intranet. Following authentication, traffic on the intranet is not encrypted. What should you do? (Select two. Each choice is a required part of the solution.) Upgrade application servers to Windows Server 2008 R2 or newer. Configure selected server access (modified end-to-edge). Configure full enterprise network access (end-to-edge). Configure end-to-end access. EXPLANATION Configure DirectAccess using selected server access (modified end-to-edge). IPsec encrypts communications between the client and the IPsec gateway, but authenticates all the way to the application server. Once authenticated, traffic on the private intranet is not encrypted (encryption is removed at the DirectAccess server). Using modified end-to-edge access requires that application servers run Windows Server 2008 R2 or newer. End-to-end access both authenticates and encrypts all traffic between the client and the application server. End-to-edge access authenticates and encrypts traffic with the DirectAccess server, but does not authenticate or encrypt traffic between the DirectAccess server and application servers. REFERENCES 6.1 DirectAccess Installation 6.1.1 DirectAccess Overview 6.1.2 Installing DirectAccess 6.1.3 Configuring DirectAccess Clients 6.1.4 DirectAccess Installation Facts 6.1.5 DirectAccess Configuration Facts 7.3.1 NPS Network Policies * Question 20: Correct This question includes an image to help you answer the question. View Image You have a small network as shown in the image. You are unable to ping Wrk2 from Wrk1. What should you do to fix the problem? Change the IP address assigned to Wrk2. Change the default gateway address on Wrk2. Change the subnet mask on Wrk2. Change the subnet mask on Wrk1. Change the IP address assigned to Wrk1. Change the default gateway address on Wrk1. EXPLANATION In this scenario, the subnet mask on the workstation is incorrect. The network for Wrk1 and RouterA uses a 29-bit mask. A 29-bit mask has the decimal value of 255.255.255.248. For RouterA, the LAN connection uses a subnet address of 10.250.60.208. Valid host addresses on this subnet are 10.250.60.209 to 10.250.60.214. For RouterB, the LAN connection uses a subnet address of 172.26.116.192. Valid host addresses are 172.26.116.193 to 172.26.116.254. The default gateway address for a workstation should be the IP address of the router interface connected to the same subnet as the workstation. REFERENCES 2.1 IPv4 Addresses 2.1.1 Understanding Binary Numbers 2.1.10 Custom Addressing Facts 2.1.2 IPv4 Addressing 2.1.3 IPv4 Address Classes and NAT Routing 2.1.4 Understanding the Basics of ANDing 2.1.5 IPv4 Classless Inter-Domain Routing (CIDR) 2.1.6 IPv4 Advanced ANDing 2.1.7 IPv4 Network Subnetting 2.1.8 Configuring IPv4 1.3.3 Creating a Secondary Zone 1.3.5 DNS Zone Facts 1.3.6 Create a Zone 1.3.7 Create a Reverse Lookup Zone 1.3.9 Convert a Zone to Active Directory-Integrated 1.4.7 Create a Root Zone 1.5.8 Create a Zone and Add Records * Question 23: Correct You need to add a new replication target for an existing DFS folder, which currently contains several terabytes of data. To speed up initial replication to the new target, you decide to clone the DFS database. You plan to do the following to accomplish this: Install the DFS Replication role on both servers (source and target). Verify the folder to be replicated on the source server is in the Normal state. Export the DFS Replication database from the source server using the Export-DfsrClone cmdlet. Preseed the files to be replicated by manually copying them from the source server to the target server using File Explorer. Import the database on the target server using the Import-DfsrClone cmdlet. Add the destination server to the replication group using the Add-DfsrMember and Add- DfsrConnection cmdlets. Will this deployment plan work? Yes. All prerequisites for using DFS cloning have been met. No. The folder to be replicated on the source server must be in the Initial Sync state. No. The robocopy utility should be used to preseed files on the target server. No. The Import-DfsrFiles cmdlet should be used to preseed files on the target server. EXPLANATION Preseeding during DFS cloning involves manually copying the files to be replicated to the target server. For preseeding to work, however, you must copy files from the source servers to the target servers without changing their file hashes. The file hash is used by DFS to ensure that any changes made to the files get replicated to all appropriate DFS servers. Incorrectly preseeding files causes initial replication to be much slower than if you had not used DFS cloning at all. Therefore, you must use a file management utility that preserves file hashes, such as robocopy, when copying files to the target server during the preseeding process. There is no DFS Replication management utility named Import-DfsrFiles. Folders to be replicated on the source server must be in the Normal state. They must not be in Initial Sync, Initial Rebuilding, or Recovery states. REFERENCES 8.4 Manage the DFS Replication Database 8.4.1 Managing the DFS Replication Database 8.4.3 Recovering a DFSR Database * Question 24: Correct Software-defined networking (SDN) uses a controller to manage the devices. The controller is able to inventory hardware components in the network, gather network statistics, make routing decisions based on gathered data, and facilitate communication between devices from different vendors. It can also be used to make widespread configuration changes on just one device. Which of the following statements best describes an SDN controller? The SDN controller is software. The SDN controller is hardware. The SDN controller is a virtual networking device. The SDN controller is a networking protocol. EXPLANATION SDN uses a controller to manage the devices. The controller is software that is able to inventory hardware components in the network, gather network statistics, make routing decisions based on gathered data, and facilitate communication between devices from different vendors. It can also be used to make widespread configuration changes on just one device. REFERENCES 10.1 Implement SDN 10.1.1 Software-Defined Networking Basics 10.1.2 SDN Infrastructure and Architecture 10.1.3 Implementing SDN 10.1.4 SDN Implementation Facts 8.4.4 DFS Replication Database Management Facts * Question 27: Correct You are the network administrator for eastsim.com. The network consists of a single Active Directory domain. All of the servers run Windows Server 2016 Standard edition. All of the clients run Windows 10. A domain controller named DC1 functions as a DNS server that hosts a standard primary zone, eastsim.com. All of the other domain controllers host standard secondary zones for eastsim.com. A new corporate directive requires that all DNS communication be secure. The DNS records must be cryptographically signed by the DNS server so that clients can validate that the DNS server responses are authentic and have not been subject to tampering. You must configure DNS to comply with the new policy. What should you do? Upgrade the servers to Windows 2016 Datacenter edition. Implement a domain-based IPSec policy that requires that all DNS traffic be encrypted. Change the eastsim.com zone to an Active Directory-integrated zone. Implement DNS Security Extensions (DNSSEC). EXPLANATION Implement DNS Security Extensions (DNSSEC). The ability to create DNS Security Extensions (DNSSEC) was introduced in Windows Server 2008 R2. DNSSEC allows a DNS zone and all the records in the zone to be cryptographically signed. When a DNS server receives a query, it returns the digital signatures in addition to the records. The computer that originated the query can obtain the public key of the DNS server and validate that the responses are authentic and have not been subject to tampering. Changing the zone to an Active Directory-integrated zone will ensure that all zone transfers are encrypted. By default, Active Directory-integrated zones use Active Directory replication to transfer DNS information. Active Directory replication is encrypted using the Kerberos protocol. Implementing a domain-based IPSec policy and requiring that all DNS traffic be encrypted will ensure secure DNS communication. However, neither of these options results in the records being cryptographically signed. All versions of Windows Server 2016 have the same DNS features; they all support DNSSEC. There is no advantage to upgrading the edition of Windows Server 2016 in this particular scenario. REFERENCES 1.9 DNS Protection 1.9.1 DNS Protection Features 1.9.2 Configuring DNS Security Extensions (DNSSEC) 1.9.7 DNS Protection Facts 1.9.8 Configure DNSSEC * Question 28: Correct This question includes an image to help you answer the question. View Image You are the network administrator for westsim.com. The network consists of a single domain. All of the servers run Windows Server 2016. All of the clients run Windows 10. The company has one main office and one branch office. A file server named FS1 is located in the main office and hosts several shares. A member server named DC2 is located in the branch and functions as a domain controller. Users at the branch office complain that there are often delays when they access files from FS1. You decide to implement the BranchCache feature. You view the BranchCache configuration of DC2, which is shown in the image. You need to ensure that users in the branch office can retrieve cached files from DC2. Which option will best accomplish this task? Run the netsh.exe branchcache set service mode=HOSTEDSERVER command on DC2. Run the netsh.exe branchcache flush command on DC2. Run the netsh.exe branchcache set service mode=DISTRIBUTED command on DC2. Run the netsh.exe branchcache reset command on DC2. EXPLANATION You should run the netsh.exe branchcache set service mode=HOSTEDSERVER command on DC2. BranchCache is intended to improve latency by caching files that are used in the branch office on local computers so that the files may be obtained from the cached copy. In the image, we can see that the server has not yet been configured by the statement, "This machine is not configured as a hosted cache client," which means that BranchCache has not been configured. Since this is the server, we need to configure it to act as the hosted server using the netsh.exe branchcache set service mode=HOSTEDSERVER command. The clients are configured using the netsh.exe branchcache set service mode=HOSTEDCLIENT command. BranchCache has two modes: hosted and distributed. In hosted mode, content is cached centrally at a server located at the branch office. In distributed mode, content is cached at any Windows 10 machine that requests the content from the main office. Since all of the machines in the branch office would host part of the cache, the cache is distributed among the participating machines. The netsh.exe branchcache set service mode=DISTRIBUTED would be run on a Windows 10 machine to configure BranchCache in distributed mode. The netsh.exe branchcache reset command is used to reset the BranchCache settings to their default, which is to be disabled. The netsh.exe branchcache flush would be used to empty the cache and clear out any files that have been cached on the server. REFERENCES 8.5.1 BranchCache Overview * Question 31: Correct You manage the network infrastructure for the westsim.com domain. All servers have recently been upgraded to Windows Server 2016, and all clients run Windows 10. All server and client computers are members of the domain. You have configured a DFS solution with a domain-based DFS root. Srv1 hosts the DFS root, and the namespace is named Sales. A single folder named Contacts in the DFS root points to the SalesSF shared folder on Srv3. You would like to provide redundancy so that the data in the Contacts shared folder will still be available, even if Srv1 goes down. You want to use Srv4 to provide the redundancy. What should you do? Share a folder on Srv4. Create a new folder in DFS, using the new folder on Srv4 as the target. Add Srv4 as a namespace server. Configure Srv4 as a cluster server to Srv3. Share a folder on Srv4. Add this folder as a target to the Contacts folder. Configure DFS replication. EXPLANATION To add redundancy to the DFS root, configure additional namespace servers. Each namespace server holds information about the DFS structure. Only domain-based DFS roots can have multiple namespace servers. Users connect to the namespace using the domain name in the UNC path. Active Directory automatically directs the users to the closest namespace server. Configure additional folder targets and replication to provide redundancy for the data in a shared folder. Replication keeps the data in the folders synchronized. When users connect to a shared folder, they are redirected to the closest server that holds a replica of the shared folder. REFERENCES 8.1 Distributed File System (DFS) Namespaces 8.1.1 DFS Namespaces Overview 8.1.2 Creating a DFS Namespace 8.1.3 Configuring Fault Tolerance for DFS Namespaces 8.1.4 DFS Facts 8.1.5 Add Role Services for DFS and Create a Namespace * Question 32: Correct You are a systems administrator for WestSim Corporation. As part of a new security initiative, the IT department has developed a custom application that reports the host name of all clients that try to access three sensitive servers in the Accounting department. The application has been working fine for the last three months. The company expands and adds a new building with a LAN connection to the rest of the network. This building has its own subnet, 192.168.5.0. You create a scope on an existing DHCP server for this subnet. During a random check of the reporting software, you discover that the application reports the IP address, but not the hostname for clients on the new subnet. Everything works as designed for hosts on other subnets. You check the DNS database and find that none of the hosts on that subnet have an associated PTR record. What should you do? Manually create CNAME records for each host on the subnet. Create a primary reverse lookup zone for subnet 192.168.5.0. Create a secondary reverse lookup zone for subnet 192.168.5.0. Add a hosts file to the server running the reporting software. Manually create PTR records for each host on the subnet. EXPLANATION You need to create a primary reverse lookup zone for the new subnet. The custom application uses the reverse lookup zone to find the host name for a given IP address. By default, Windows clients register their A (host) record, while the DHCP server registers the PTR (pointer) record. However, the reverse lookup zone must exist in the DNS database before the DNS server can create the PTR record. REFERENCES 1.3 Primary and Secondary DNS Zones 1.3.1 DNS Zones 1.3.2 Creating a Primary Zone 1.3.5 DNS Zone Facts 1.3.6 Create a Zone 1.3.7 Create a Reverse Lookup Zone 1.3.9 Convert a Zone to Active Directory-Integrated * Question 33: Correct You are the network administrator for a small company that implements NAT to access the internet. However, you recently acquired five servers that must be accessible from outside your network. Your ISP has provided you with five additional registered IP addresses to support these new servers but you don't want the public to access these servers directly. You want to place these servers behind your firewall on the inside network yet still allow them to be accessible to the public from the outside. Which method of NAT translation should you implement for these five servers? Restricted Dynamic Overloading Static EXPLANATION Static translation consistently maps an unregistered IP address to the same registered IP address on a one-to-one basis. Static NAT is particularly useful when a device needs to be assigned the same address so it can be accessed from outside the network, such as web servers and other similar devices. Dynamic translation would not work for these servers because it maps an unregistered host IP address to any available IP address configured in a pool of one or more registered IP addresses. Accessing a server assigned one of these addresses would be nearly impossible because the addresses are still shared by multiple hosts. REFERENCES 5.1 Routing 5.1.4 Configuring Network Address Translation (NAT) 5.1.8 Network Address Translation (NAT) Facts 1.3.6 Create a Zone 1.3.7 Create a Reverse Lookup Zone 1.3.9 Convert a Zone to Active Directory-Integrated 1.4.7 Create a Root Zone 1.5.8 Create a Zone and Add Records * Question 36: Correct You are a network administrator. You have determined that you need to install and configure a local DNS server. You have decided that installing DNS on Nano Server is best for the following reasons. (Select three.) Nano Server includes DNS by default. Nano Server can be deployed as a Hyper-V VM. Nano Server is offered at no cost. Nano Server requires less disk space. Nano Server requires fewer patches and reboots. Nano Server provides a simpler graphical user interface for management. EXPLANATION Windows Server 2016 offers a new Nano Server installation option. A Nano Server is similar to the Server Core mode, but has a significantly smaller footprint. It uses less disk space, it installs quickly, and it has fewer patches and reboots than the full featured Windows Server. Because of this, Nano Server is ideal for many scenarios, including as a DNS server. A Nano Server doesn't have a graphical user interface. You use PowerShell or other tools to connect to the Nano Server when configuring and managing it. And there is a cost associated with Nano Server. REFERENCES 1.1 DNS Overview and Installation 1.1.2 Installing DNS 1.1.3 Installing DNS on Nano Server 1.1.4 DNS Overview and Installation Facts 1.1.5 Install DNS IP Address IP Address IP Address * Question 37: Correct Match the view in the IP Address Space node of the IPAM console with the tasks that can be performed in that view on the right. Each view may be used more than once. Edit an IP address block CreaBtleocakDs HCP address reservation IP Addresses Create a DNS host record IP Addresses Reclaim an IP addresses CreaRtaenageDsNS PTR record IP Addresses Find and allocate available IP addresses ImpRoartnagneds update IP addresses Ranges EXPLANATION IP Address * Question 39: Correct You manage the intranet servers for EastSim Corporation. The company network has three domains: eastsim.com, asiapac.eastsim.com, and emea.eastsim.com. The main company website runs on the web1.eastsim.com server with a public IP address of 101.12.155.99. A host record for the server already exists in the eastsim.com zone. You want internet users to be able to use the URL http://www.eastsim.com to reach the website. What type of DNS record should you create? SRV PTR NS CNAME A SOA EXPLANATION Use a CNAME (alias) record to create alternate names for a host. The CNAME record points to the A (host) record. The CNAME record does not include the IP address of the host. Other DNS records are used as follows: Each host should be represented by a single A record. Use CNAME records to register additional (alternate) host names. Use a PTR record to provide IP address-to-host name resolution. Use an NS (name server) record to identify name servers that perform name resolution for the zone. Use an SOA (start of authority) record to identify zone information, such as the serial number. Use an SRV (service locator) record to identify servers that provide specific services, such as domain controllers. REFERENCES 1.11.7 Troubleshoot DNS Records 1.4 Zone Properties and Auxiliary DNS Zones 1.4.1 Zone Properties 1.5 DNS Records 1.5.1 DNS Record Types 1.5.2 Creating A and AAAA Records 1.5.3 Creating PTR Records 1.5.4 Creating CNAME Records 1.5.5 Creating MX Records 1.5.6 Managing NS and SRV Records 1.5.7 DNS Record Facts 1.5.8 Create a Zone and Add Records 1.5.9 Create CNAME Records * Question 40: Correct Your organization uses one primary DNS zone that is backed up by seven secondary DNS zones on other servers. You haven't made any changes to your primary zone. However, you want to be sure that all of your secondaries are up to date. To do this, you want to force a zone transfer to the secondary zones as soon as possible. Click the option in the zone properties that you would use to force a zone transfer. EXPLANATION * Question 42: Correct CorpNet is a small company with 14 client systems and a network printer. Because there are only a limited number of networked systems, you decide to use APIPA addressing for the network. With APIPA configured, all systems are able to communicate with each other, but you are having trouble configuring internet access. What is the likely cause of the problem? Private addresses cannot directly communicate to hosts outside the local subnet. The DNS server is unavailable to resolve internet hostnames. The default gateway is not set on the server. All client systems must be rebooted. The default gateway is not set on the client systems. EXPLANATION APIPA assigns private addresses designed for use on single-subnet networks that do not use routers. If internet access is required, APIPA cannot be used to provide clients direct access to the internet. APIPA is enabled by default and will assign an address if the DHCP server is unavailable. APIPA assigns only an IP address and subnet mask. A default gateway and DNS servers are not required to access network resources. REFERENCES 3.9 Troubleshooting DHCP 3.9.1 Issues with DHCP 3.9.2 Configuring Alternate Addresses 3.9.3 Troubleshooting DHCP 3.9.4 DHCP Troubleshooting Facts * Question 43: Correct Which of the following best describes a network policy? A method for identifying and verifying the servers and clients that you connect with. A set of conditions, constraints, and settings used to authorize which remote users and computers can or cannot connect to a network. A tool that reduces the administrator's workload and minimizes the chance of human error when configuring RADIUS servers and clients. A Microsoft feature that controls the working environment of user accounts and computer accounts. EXPLANATION A network policy is a set of conditions, constraints, and settings used to authorize which remote users and computers can or cannot connect to the network. For example, a network policy can be configured to only allow users belonging to a particular group to remotely connect if they do so during non-working hours. A Group Policy is a Microsoft feature that controls the working environment of user accounts and computer accounts. A certificate is the method for identifying and verifying the servers and clients you connect with An NPS template is used to reduce the administrator's workload and minimizes the chance of human error when configuring RADIUS servers and clients. REFERENCES 7.2 NPS Templates 7.2.1 NPS Templates Overview 7.2.2 Creating NPS Templates 7.2.3 NPS Template Facts 7.3 NPS Network Policies 7.3.3 NPS Network Policy Facts * Question 44: Incorrect You have purchased a new laptop that runs Windows 10. You want to use DirectAccess to connect the computer to your corporate intranet. You will use Group Policy to enforce DirectAccess settings on the client. What should you do to configure the laptop for the DirectAccess connection? Run the netsh command and set the service mode to Distributed. Use Windows Firewall with Advanced Security to enable the DirectAccess firewall rules. Create a VPN connection that uses the IKE v2 protocol. Join the computer to a domain. EXPLANATION To configure DirectAccess on a client computer: The computer must be running Windows 7 (Ultimate or Enterprise), Windows 8 Enterprise, or newer. Join the computer to a domain. Issue a computer certificate to the computer. This certificate is used for authentication. Make the computer account a member of the security group that was created when DirectAccess was configured on the server. With this configuration, additional configuration information comes automatically through Group Policy. IKE v2 is a VPN protocol introduced in Windows 7. DirectAccess does not establish a traditional VPN connection and does not use IKE v2. GPO settings automatically configure any firewall settings that are required by DirectAccess on the client computers. Using netsh to configure the computer for Distributed mode is a method used with BranchCache configuration. REFERENCES 6.1 DirectAccess Installation 6.1.1 DirectAccess Overview 6.1.2 Installing DirectAccess 6.1.3 Configuring DirectAccess Clients 6.1.4 DirectAccess Installation Facts 6.1.5 DirectAccess Configuration Facts 7.3.1 NPS Network Policies * Question 47: Correct You are troubleshooting an issue with your DHCP server. You view the DHCP server statistics, which are shown in the top half of the image below. You go to a user's workstation and run the ipconfig /release command followed by ipconfig /renew. You view the DHCP server statistics again, which are shown in the bottom half of the image below. What should you expect to see in the statistics that is not happening? Discovers are increasing, but offers are static. Discovers and offers are increasing, but requests are static. DHCP discovers are not increasing. DHCP discovers are not decreasing. EXPLANATION In this case, you can see that DHCP discovers are not increasing. Discovers should have increased after you ran the ipconfig /release command followed by an ipconfig /renew command. This means there is a hardware failure preventing communication with the DHCP server. Potential problems include: Network adapter failure Network cable failure Failed switch Problem with a router Problem with a DHCP relay agent REFERENCES 3.9 Troubleshooting DHCP 3.9.1 Issues with DHCP 3.9.2 Configuring Alternate Addresses 3.9.3 Troubleshooting DHCP 3.9.4 DHCP Troubleshooting Facts * Question 48: Correct You are the network administrator for corpnet.com. All of your servers run Windows Server 2016. You have a server named IPAM1 that has the IPAM feature installed on it. All of the IP addresses in the address block for the 192.168.0.0/16 network appear to be in use. You suspect that some of the IP addresses are available for use on the network. You need to update the IPAM database to show which IP addresses are available. Which action should you take to accomplish this task? Right-click the IP Addresses and then click Delete DHCP Reservation. Right-click the IP Address Ranges and then click Retrieve Address Space Data. Right-click the IP Address Ranges and then click Reclaim IP Addresses. Right-click the IP Address Ranges and then click Find and Allocate Available IP Addresses. EXPLANATION You should Right-click the IP Address Ranges and then click Reclaim IP Addresses. When you reclaim IP addresses, they are deleted from the IPAM database. You would right-click the IP address ranges and then click Find and Allocate Available IP Addresses to find available IP addresses. IPAM considers an IP address available if the IP address does not currently exist in the IPAM database, is not reserved using a reservation, is not part of an exclusion on the DHCP server, does not respond to a ping request, and has no DNS PTR record associated with the IP address. You would right-click the IP addresses and then click Delete DHCP Reservation to delete a DHCP reservation. You would right-click the IP address ranges and then click Retrieve Address Space Data to retrieve data from the DHCP servers that have the scopes that correlate to the IP address ranges. REFERENCES 4.1 IPAM Installation 4.1.3 Create IP Blocks 4.1.4 IPAM Facts 4.3.4 Audit Changes to DHCP and DNS 4.3.5 Advanced IPAM Administration Facts * Question 51: Correct You want to allow users to connect to the private network. Users will connect to the internet while on the road, then connect to the private network. All users will use laptops that run Windows 10. You configure a Windows Server 2016 server as a router. During a random check one day, you notice that some connections are using PPTP while others are using L2TP. You want to force all connections to use L2TP. What should you do? In Routing and Remote Access, edit the Ports node. Disable remote access and demand-dial routing connections for PPTP. In Routing and Remote Access, configure a remote access policy to accept only L2TP connections. In Routing and Remote Access. Enable remote access and demand-dial routing connections for L2TP. In Routing and Remote Access, edit the PPTP ports and set the number of ports to 0. EXPLANATION The best way to configure the connections is to edit the ports and disable remote access and demand-dial routing for PPTP. This prevents any PPTP connections from being accepted on the server. Any clients that were not configured properly could still connect using PPTP. Configuring a remote access policy would not work in this situation because the server is configured as a router, not a remote access server. REFERENCES 5.2 Install VPN 5.2.1 VPN Concepts 5.2.2 Installing a VPN Server 5.2.5 VPN Installation Facts 5.3 VPNs 5.3.3 VPN Facts 7.3.1 NPS Network Policies * Question 52: Correct You have a TCP/IP network with 50 hosts. There have been inconsistent communication problems between hosts. You run a protocol analyzer and discover that two hosts have the same IP address assigned. Which protocol can you implement on your network to help prevent problems such as this? TCP IP ICMP DHCP EXPLANATION You can use the dynamic host configuration protocol (DHCP) to set up a DHCP server that assigns IP addresses automatically to network hosts. DHCP servers does not assign the same IP address to two different hosts. REFERENCES 3.9 Troubleshooting DHCP 3.9.1 Issues with DHCP 3.9.2 Configuring Alternate Addresses 3.9.3 Troubleshooting DHCP 3.9.4 DHCP Troubleshooting Facts * Question 53: Correct You need to create a DNS record that identifies a service, protocol, and port number. Which record type would you create? PTR MX SRV A CNAME EXPLANATION Use an SRV (service) record to identify the service by protocol and port number. The A record identifies the hostname and IP address. A PTR record provides reverse lookup name resolution, providing the name from a given IP address. A CNAME record is an alias or alternate name for a host and points to an existing A record. An MX record identifies a mail server and identifies the FQDN of a mail server for a domain. REFERENCES 1.11.7 Troubleshoot DNS Records 1.4 Zone Properties and Auxiliary DNS Zones 1.4.1 Zone Properties 1.5 DNS Records 1.5.1 DNS Record Types 1.5.2 Creating A and AAAA Records 1.5.3 Creating PTR Records 1.5.4 Creating CNAME Records 1.5.5 Creating MX Records 1.5.6 Managing NS and SRV Records 1.5.7 DNS Record Facts 1.5.8 Create a Zone and Add Records 1.5.9 Create CNAME Records = 7.3.1 NPS Network Policies
* Question 56: Correct You are the network administrator for westsim.com. The network consists of a single domain. All the servers run Windows Server 2016. All the clients run Windows 10. There is a single main office located in New York. A perimeter network separates the main office from the internet. Corporate policy requires that all servers be isolated from the internet. No external clients may directly access internal resources unless the connection is secure. External connections to servers located in the perimeter network are permitted. You plan to implement DirectAccess to support encrypted connections from remote clients to the internal network. A server named RRAS1 will provide DirectAccess connections for the clients. The DirectAccess clients will use IP-HTTPS connections. Certificates for the DirectAccess clients and servers will be issued by an Enterprise root CA named CA1. You need to configure CA1 to support DirectAccess clients. What should you do? Install the Online Responder role service on CA1. Publish the CA1 Certificate Revocation List (CRL) on a server in the perimeter network. Add an entry for RRAS1 to the Hosts file on CA1. Publish the Enrollment Agent certificate on CA1. EXPLANATION You should publish the CA1 Certificate Revocation List (CRL) on a server in the perimeter network. DirectAccess clients can use a number of protocols to connect from the internet to the intranet. All of the available options require IPv6. If there is not complete end-to-end support for IPv6, then they also require a transitional technology such as ISATAP, Teredo, or 6to4. Using IP-HTTPS allows the IPv6 traffic to be encapsulated in HTTPS packets. In order for this connection to be made, the clients must accept the certificate from the web server providing SSL connections. Clients will need to be able to check the Certificate Revocation List (CRL) to ensure the certificates are valid. So, to support this feature, you must publish the CRL to a location accessible by the external clients. Since company policy dictates that all servers should be isolated from the internet but that external clients may not contact the internal network directly unless the communication is secure, you must locate the CRL in the perimeter network, where clients can download the CRL and use it to determine the validity of the SSL certificate before they connect to the internal network using DirectAccess. The Online Responder role service is used to replace a CRL. When clients download a CRL, they receive a list of all the expired and revoked certificates for that CA. After time, this list can become lengthy, which results in increased network traffic for CRL downloads and increased processing burden on the client to search the CRL to see if a certificate is listed. Online responders service client requests by consulting the CRL and supplying the clients with just the validity status for a particular certificate. This moves the burden of processing the request to the online responder and greatly reduces network traffic. However, the issue in this question is that the revocation information must be accessible from the internet, so the solution must address making the revocation information available from a server in the perimeter network. Enrollment agents obtain certificates on behalf of users and distribute the certificates to the users. This is commonly seen in companies that implement smart cards, where a designated enrollment agent obtains the smart card certificate on behalf of the user and uses the certificate to set up the smart card. DirectAccess does not require an enrollment agent. You would use an entry in the computer's Hosts file if you wanted to ensure that the client resolves a particular name to a particular IP address. It is not necessary to provide static name resolution for CA1 to RRAS1. REFERENCES 6.1 DirectAccess Installation 6.1.1 DirectAccess Overview 6.1.2 Installing DirectAccess 6.1.3 Configuring DirectAccess Clients 6.1.4 DirectAccess Installation Facts 6.1.5 DirectAccess Configuration Facts 7.3.1 NPS Network Policies * Question 59: Correct You are the network administrator for westsim.com. The network consists of a single domain. All the servers run Windows Server 2016. All the clients run Windows 10. The network has one main office located in Dallas. All of the switches in Dallas are managed switches. You have decided to implement 802.1x authentication on the switches in Dallas. You configure the switches as RADIUS clients and issue computer certificates to the Network Policy Server (NPS) server and the client computers using a stand-alone root Certification Authority (CA) named CA1. You create an 802.3 wired policy on the NPS server requiring PEAP-MS-CHAP v2 authentication. After you implement the 802.3 wired policy, clients complain that they cannot connect to the network. You need to ensure that clients can connect to the network using 802.1x authentication with the minimum amount of administrative effort. What should you do? Set the 802.3 wired policy to have a priority of 99,999. Reinstall CA1 as an Enterprise root CA and then re-issue the client certificates. Set the 802.3 wired policy to have a priority of 1. Add the certificate for CA1 to the Trusted Root Certification Authorities store on the client computers. EXPLANATION You should add the certificate for CA1 to the Trusted Root Certification Authorities store. When you configure the Network Policy Server (NPS) to require PEAP-MS-CHAP v2, the clients must trust the Certification Authority (CA) that issued the certificate. In this case, because CA1 is a stand- alone root CA, the client computers do not trust the NPS server certificate. Therefore, you must add the certificate to the client's Trusted Root Certification Authorities store, which you can do via group policy. You could reinstall CA1 as an Enterprise root CA and then re-issue the client certificates, but it would be much more efficient to just add CA1's certificate to the client's Trusted Root Certification Authorities store. The NPS policies will be evaluated in order from top to bottom, with 99,999 being the last policy. However, even moving the 802.3 wired policy higher in the list will not cause the clients to accept the server's certificate. REFERENCES 7.1 Install Network Policy Server (NPS) 7.1.1 NPS Overview 7.1.2 Installing NPS 7.1.3 NPS Installation Facts 7.2 NPS Templates 7.2.1 NPS Templates Overview 7.2.2 Creating NPS Templates 7.2.3 NPS Template Facts 7.3 NPS Network Policies 7.3.5 Configuring a RADIUS Proxy 7.3.6 Configuring NPS Certificates 7.5 RADIUS Accounting 7.5.1 RADIUS Accounting 7.5.2 Configuring RADIUS Accounting 7.5.3 RADIUS Accounting Facts 7.6 Manage NPS Policies 7.6.1 Importing and Exporting NPS Policies 7.6.2 NSP Policy Management Facts * Question 60: Correct You are the network administrator for westsim.com. The network consists of a single domain named westsim.com. All the servers run Windows Server 2016. All the clients run Windows 8 or Windows 10. The main office contains a server named RRAS1 that has been configured to provide DirectAccess connectivity for clients. Clients complain that when they connect via DirectAccess, they are not able to resolve intranet names. What should you do? Provide a static entry for RRAS1.westsim.com in the clients Hosts file. Define a connection-specific suffix for westsim.com in the client DNS settings. Check for westsim.com in the Name Resolution Policy Table. Create a new AAAA record for RRAS1.westsim.com in the westsim.com domain. EXPLANATION You should check for .westsim.com in the Name Resolution Policy Table. The Name Resolution Policy Table stores a list of DNS namespaces and corresponding configuration settings that define the DNS client's behavior for that namespace. Each DNS query is compared to the namespaces defined in the Name Resolution Policy Table. If a match is found, the computer uses the information in the Name Resolution Policy Table to direct the DNS query to the appropriate DNS server. If a match is not found, the computer uses its regular DNS server to resolve the query. You would create an AAAA record to allow resolution of a host name to an IPv6 address. While DirectAccess does require IPv6, you do not have to create any specific AAAA records. You can use a static entry in the computer's Hosts file if you want to ensure that the client resolves a particular name to a particular IP address. Creating a connection-specific suffix will not help, since westsim.com is already the primary suffix for the DNS client. REFERENCES 6.2 DirectAccess Troubleshooting 6.2.1 DirectAccess Troubleshooting 6.2.2 Troubleshooting DirectAccess 6.2.3 DirectAccess Troubleshooting Facts